What's the mechanism for preventing "spoofing" of (:uid session) ?
The session contents are stored in an encrypted cookie (the encryption secret is COOKIE_SECRET in config.env), so clients can't change the contents apart from clearing the entire cookie. So (:uid session) will only be whatever value your backend (specifically, the https://github.com/jacobobryant/biff/blob/75fd9d733c95e42b06c8d1b0eed9bc5f326c6f1c/src/com/biffweb/impl/auth.clj#L171) has given it.
Perfect. Is that a standard practice?
using encrypted cookies for sessions you mean? Yes, it's common. Ring comes with an implementation for encrypted session cookies, which is what Biff uses (see the https://github.com/ring-clojure/ring/wiki/Sessions#session-stores + https://ring-clojure.github.io/ring/ring.middleware.session.cookie.html). It has some pros/cons vs. e.g. storing sessions in Redis, which is probably what most commercial apps do (at least those that still use server-side sessions instead of JWT). Basically it's convenient to set up since the client handles persistence for you, with the downside being that it's less convenient to edit the session out-of-band, e.g. if you wanted to invalidate a session without the user triggering it. Also you don't want to put a bunch of stuff in the session since it'll be sent along with each request, and there are cookie size limits. But if you're just keeping a user ID in there it's fine.