The HTTP protocol is stateless. Any given request has no information about previous requests. For a server, this means that determining whether two requests originated from the same browser is not possible without further work. That's fine for general information, but targeted interactions require a user to be verified via some sort of unique identifier. A uniquely identified client can then be served targeted content—from lists of friends to advertisements.
This semipermanent communication between a client (often a browser) and a server persists for a period of time—at least until the client disconnects. That period of time is understood as a session. An application that manages sessions must be able to create a unique user session identifier, track the activity of an identified user during that session, and disconnect that user when requested or for some other reason, such as on reaching a session limit.
In this section, we'll implement a JSON Web Token (JWT) system for...