diff --git a/api/auth.go b/api/auth.go
index 5aa3ae2..424f23d 100644
--- a/api/auth.go
+++ b/api/auth.go
@@ -71,24 +71,47 @@ func Logout(w http.ResponseWriter, r *http.Request) {
 
 }
 
-var sessionStore = make(map[string]string)
+type Session struct {
+	Token    uuid.UUID
+	Username string
+}
 
 func CreateSession(username string) string {
-	sessionToken := uuid.New().String()
-	sessionStore[sessionToken] = username
-	return sessionToken
+	session := Session{
+		Token:    uuid.New(),
+		Username: username,
+	}
+	dbAddSession(&session)
+	return session.Token.String()
 }
 
 func ValidateSession(sessionToken string) (string, bool) {
-	username, exists := sessionStore[sessionToken]
-	return username, exists
+	tokenUUID, err := uuid.Parse(sessionToken)
+	if err != nil {
+		return "", false
+	}
+
+	session, err := dbGetSession(tokenUUID)
+	if err != nil {
+		return "", false
+	}
+	return session.Username, true
 }
 
 func DeleteSession(sessionToken string) (string, bool) {
-	username, exists := sessionStore[sessionToken]
+	tokenUUID, err := uuid.Parse(sessionToken)
+	if err != nil {
+		return "", false
+	}
 
-	delete(sessionStore, username)
-	return username, exists
+	session, err := dbGetSession(tokenUUID)
+	if err != nil {
+		return "", false
+	} else {
+		dbDeleteSession(session.Token)
+	}
+
+	return session.Username, true
 }
 
 type contextKey string
diff --git a/api/db.go b/api/db.go
index a3c2ec3..cc3dfe1 100644
--- a/api/db.go
+++ b/api/db.go
@@ -6,6 +6,7 @@ import (
 
 	"git.dubyatp.xyz/chat-api-server/db"
 	"github.com/gocql/gocql"
+	"github.com/google/uuid"
 )
 
 func dbGetUser(id string) (*User, error) {
@@ -107,6 +108,42 @@ func dbGetAllMessages() ([]*Message, error) {
 	return messages, nil
 }
 
+func dbAddSession(session *Session) error {
+	query := `INSERT INTO sessions (session_token, username) VALUES (?, ?)`
+	err := db.Session.Query(query, session.Token, session.Username).Exec()
+	if err != nil {
+		return fmt.Errorf("failed to add session: %v", err)
+	}
+	return nil
+}
+
+func dbGetSession(id uuid.UUID) (*Session, error) {
+	query := `SELECT session_token, username FROM sessions WHERE session_token = ?`
+	var session Session
+	err := db.Session.Query(query, id).Scan(
+		&session.Token,
+		&session.Username)
+	if err == gocql.ErrNotFound {
+		return nil, errors.New("Session not found")
+	} else if err != nil {
+		return nil, fmt.Errorf("failed to query session: %v", err)
+	}
+
+	return &session, nil
+}
+
+func dbDeleteSession(id uuid.UUID) error {
+	query := `DELETE FROM sessions WHERE session_token = ?`
+
+	err := db.Session.Query(query, id).Exec()
+
+	if err != nil {
+		return fmt.Errorf("failed to delete session: %v", err)
+	}
+
+	return nil
+}
+
 func dbAddUser(user *User) error {
 	query := `INSERT INTO users (id, name, password) VALUES (?, ?, ?)`
 	err := db.Session.Query(query, user.ID, user.Name, user.Password).Exec()