we also just store session id and username in a cookie, cookie is marked as secure and http-only stateful-sessions are just horrible