Atlassian Web App Flow: Authentication & Session Management

Core content

You will be asked to describe the end-to-end user authentication flow in a web application, from a user filling a login form to receiving secure access. Walk through client-side form submission, the HTTP request/response cycle, server-side credential validation, and how the server issues and manages session identifiers or tokens. Explain how cookies, session stores, JWTs, and refresh tokens are used and when each is appropriate.

High-level flow / stages

• User action: form submission (validate client-side inputs and handle errors)
• Transport: POST over HTTPS, headers (Content-Type, CSRF token)
• Server: authenticate credentials, perform rate limiting, and create a session or sign a token
• Response: set secure cookie or return token; redirect or return success
• Subsequent requests: verify cookie/session or validate token and enforce authorization
• Logout / expiration / revocation: invalidate session, rotate tokens, or blacklist refresh tokens

Skill signals

You should demonstrate knowledge of session handling vs. token-based auth, secure cookie attributes (HttpOnly, Secure, SameSite), CSRF protection patterns, and common vulnerabilities (XSS, SQL injection, session hijacking) with concrete mitigations: input validation, parameterized queries, CSP, secure cookie flags, token rotation, and short-lived access tokens. Be ready to compare server-side sessions and stateless JWTs, discuss refresh-token flow and revocation strategies, and outline how you’d design password reset and third-party (OAuth) flows.

Using these points, you can map a clear, secure authentication flow and justify architecture choices during an Atlassian interview.