Most authentication systems are built around a comforting illusion: once a user successfully logs in, the system believes it knows who is on the other side of the connection.

In reality, most web applications do not continuously know who is using the session. They know only that each request carries a valid cookie.

That distinction is not academic. It is the reason session theft remains one of the most effective ways to bypass passwords, MFA, passkeys, risk checks, and even carefully designed identity-provider flows.

Here's a question that sounds impossible: can you check if an element is in a set of 1 billion items using only 1.2 GB of RAM, with lookups completing in constant time, and never producing a false negative? Oh, and the data structure is a single contiguous array of bits; no pointers, no allocations, no garbage collection pauses.

The answer is yes. It's called a Bloom filter, and once you understand it, you'll see it everywhere; from the database engine under your app to Chrome's malicious URL checker to the network switches routing your packets.

This post goes deep. Not "here's a pretty diagram" deep. "I need to tune the false positive rate for a production system handling 400K QPS" deep.

Every time I read a "how the internet works" article, I cringe - they all stop at DNS → TCP → HTTP → HTML. That's like explaining a car engine by saying "fuel goes in, wheels spin." Super helpful when the engine is on fire.

This post is what I wish someone had handed me when I was staring at a waterfall chart at 3 AM, wondering why a page took 4 seconds to load on a 1 Gbps connection. We're going to trace every system boundary crossing - from the electrical signal your keyboard fires to the GPU draw call that lights up the final pixel.

When people first hear about Amazon S3, they usually think of it as “cloud file storage.”

That description is convenient, but architecturally misleading.

S3 is not a giant hard drive in the sky. It is not a shared folder. It is not a filesystem with infinite space. And it is almost certainly not just a pile of premium SSDs waiting to serve your objects.

A better mental model is this:

S3 is a massive distributed object storage system that converts unreliable commodity hardware into durable, highly available, high-throughput storage through software, redundancy, metadata systems, erasure coding, checksums, repair loops, and extreme parallelism.

There are only two hard things in Computer Science: cache invalidation and naming things. — Phil Karlton

Here’s a conversation I’ve had more times than I can count: someone on the team says "let’s add a CDN" when what they actually mean is "we need caching." Or worse, someone implements Redis caching for static assets that should just live on a CDN edge node. Both are about serving content faster, but they solve fundamentally different problems, at different layers, with different tradeoffs.

This post breaks down what each actually does under the hood, when to reach for one vs. the other, and how they work together in production systems.