A long, random string your server creates when someone logs in and stores in a cookie in their browser. The browser sends it back on every request, and the server looks it up to confirm the user is still logged in.