CIAM (Customer Identity & Access Management) is where IAM meets real product constraints: conversion rates, support costs, fraud, privacy regulation, and at-scale reliability.
This page is vendor-agnostic by design: the concepts apply whether you use a homegrown stack or a CIAM platform.
Sessions are the real credential
For most consumer apps, a stolen session is more useful than a password.
Decisions you must make
- cookie-based sessions vs token-based sessions
- session lifetime (idle + absolute)
- refresh token rotation (if using OAuth)
Controls
- HttpOnly, Secure, SameSite cookies
- Device binding / token binding where possible
- Revocation strategy (server-side session store or revocation list)
Checklist
- Define logout semantics (local vs global)
- Detect anomalous session reuse
- Rotate on risk events (password change, device change)