Do server side hooks contain login session information?

I have a custom service whose API requires authentication. I’m currently using this service as a OAuth server to single-sign-on into my gitlab to get around the authentication. Now I would like to send a tarball of the latest code on each push. I’m now considering several options:

  1. server side hook
  2. webhook
  3. plugin
  4. CI/CD

It seems to me only option (2) contains the login session information, but I’m not sure if this is correct. So I’m starting with option (1), i.e. do server side hooks contain the login session? Is it the best way to achieve what I want?