Session-based auth stores user state on the server. After login, server creates a session ID stored in a cookie. Each request sends the cookie, server looks up the session. Pros: easy to revoke. Cons: server memory, not stateless.