Every hybrid Flutter app eventually hits the same wall: the user logs in through a WebView, closes it, and the native side has no idea who they are. Cookies vanish on iOS. Redirects fire twice on Android. SSO works in dev and breaks in TestFlight. Session refresh quietly logs people out at 3am. Auth in WebViews is one of the least-documented and most-shipped patterns in Flutter, and getting it wrong costs you retention. This talk walks through the full lifecycle — launching the WebView, intercepting redirects, sharing cookies with your native HTTP client, persisting sessions across app restarts, and handling expiry gracefully. You'll leave with a reference architecture, a checklist of the platform gotchas that will bite you, and working code for the two or three patterns that actually hold up in production.