These questions cover the 7 sections of the State Management overview and are organized by topic clusters. No answers are provided — the goal is to test your understanding of state management concepts, security trade-offs, and architectural implications.
The questions mix conceptual understanding, scenario-based debugging, and common design mistakes.
Cluster 1: The Stateless Problem & State Locations (Sections 1–2)
A student says "HTTP remembers your login between pages." What is wrong with this statement? Explain how the web actually achieves login persistence despite HTTP being stateless.
Name the three categories of where state can live. Give an example mechanism for each category and explain when you would choose that mechanism over the others.
Explain the hybrid approach: why store only a session ID in the cookie instead of the full user data? What are the security and scalability implications of each approach?
Why is statelessness a feature, not a bug? Explain how HTTP's stateless design helps with load balancing, caching, and fault tolerance.
A user logs in on Server A, but their next request hits Server B (behind a load balancer). They're asked to log in again. What went wrong, and what are two ways to fix the problem?
Cluster 2: Mechanisms & When to Use (Sections 3–4)
Compare cookies, localStorage, and sessionStorage in terms of persistence, size limits, and when each is sent to the server. Under what circumstances would you choose each one?
A developer stores search filters in a cookie. Users complain they can't share filtered views with colleagues by sending a link. What mechanism should the developer use instead, and why?
Why is the 4KB cookie size limit significant for session data? What design pattern solves the problem of needing to associate large amounts of data with a user session?
URL parameters are "shareable state" — name three good uses for them and explain why passwords or auth tokens should never go in a URL.
A multi-step form wizard needs to preserve user input across 5 pages. Compare three approaches: hidden form fields, sessionStorage, and server sessions. What are the trade-offs of each in terms of security, user experience, and implementation complexity?
What happens to sessionStorage when a user duplicates a tab? What about when they close and reopen the tab? How does this differ from localStorage behavior?
Cluster 3: Security (Section 6)
An XSS attack can read localStorage but not HttpOnly cookies. Explain why this difference matters for storing authentication tokens. What storage strategy should a developer use for auth tokens in a single-page application?
What is session fixation? Describe the attack step by step, and explain how regenerating the session ID on login prevents it.
A developer stores a JWT in localStorage for their SPA. List at least three security risks of this approach. What is the safer storage alternative, and what additional protections does it provide?
Explain CSRF (Cross-Site Request Forgery): how can a malicious site abuse cookies to perform actions on behalf of a logged-in user? How does the SameSite cookie attribute mitigate this attack?
Compare SameSite=Strict vs Lax vs None. A banking app uses Strict, but users complain about being forced to re-login when they click links from email. What is the trade-off, and what setting would you recommend?
Compare server sessions and JWT: where is state stored in each model, how does revocation work, and what are the scaling implications? When would you choose one over the other?
JWT tokens are "signed but not encrypted." What does this mean in practice? Can someone read the payload of a JWT without knowing the secret key? What information should you never put in a JWT payload?
A team is building a stateless API consumed by mobile apps and SPAs. Should they use server sessions or JWT? Justify your answer considering authentication flow, token storage, and the ability to scale horizontally.
An e-commerce site stores the shopping cart in a session file on disk. They scale to 3 servers behind a load balancer. What breaks, and what are two solutions? Compare the trade-offs of sticky sessions, centralized session storage (Redis), and moving the cart to the client.