Session security
Meridian sessions are designed to be stateless on the server while remaining tamper-proof on the client. Every authenticated session follows a strict lifecycle with cryptographic integrity guarantees.
14-day cookie lifetime
The session cookie is issued with a fixed 14-day expiry from the moment of authentication. There is no sliding expiration and no automatic refresh. After 14 days the browser discards the cookie and the user must sign in again. This predictable window eliminates ambiguity about when a session ends.
Signed JWT
The session token is a compact JWT signed with Ed25519. The payload carries the user identifier, the session identifier, an issued-at timestamp, and the expiration timestamp. No sensitive claims are stored in the token body.
{
"sub": "user_01J...",
"sid": "sess_01K...",
"iat": 1717200000,
"exp": 1718409600
}The signature is verified on every request. If verification fails for any reason — expired, tampered, or missing — the request is treated as unauthenticated and the cookie is ignored.
SameSite=Lax
The session cookie is set with SameSite=Lax. This allows the cookie to be sent on top-level navigations (such as clicking a link to the dashboard) but blocks it on cross-origin subrequests, embedded iframes, and form POSTs from external sites. Combined with the HttpOnly flag, the token is never accessible to JavaScript running in the browser.
Sign out wipes session.dat
When the user clicks Sign Out, the server responds with aSet-Cookie header that overwrites the session cookie with an empty value and an expiry in the past. The browser removes the cookie immediately. On the client side, any local session artifact stored in session.dat is deleted from the application data directory. No residual material survives the sign-out flow.
Summary
- •Cookie expires after 14 days with no renewal.
- •Ed25519-signed JWT verified on every request.
- •SameSite=Lax with HttpOnly prevents exfiltration.
- •Sign out destroys both the cookie and session.dat.