Moreover, all website login schemes ultimately rely on some kind of session cookie, which is similar to an API key in the sense that it is a high-entropy site-issued bearer token. In other words, all website authentication schemes, “2FA” or not, ultimately rely on the ability of a client to be enrolled in and use high-entropy site-issued bearer authentication tokens as the sole criterion of access.
Since http requests are stateless, what are "sessions" as provided by languages like python or php? My gut feeling is that it's core consists of a "last-used" or some other timer, and when that timer expires, we just forget about that special token.
When using the ``bloat'' client for Pleroma -- since I'm always in ``private browsing'' mode -- it uses a different token for each login. I've seen that pleroma keeps it somewhere (probably in postgres) such that i was able to remove all old session tokens from pleroma-fe.
I used a similar apporach on my toy ecommerce site, storing all session keys in a db and if some client shows that client, just assume it's already authenticated with the stored user credentials.
I'll have to dive into how these packages work, maybe the package for go's session would be an easier read. I'll update this blog if I find a confirmation (not now: lazy)