Session and Cookies

What is web Session?

  • An abstract concept to represent a series of HTTP requests and responses between a specific web browser and server. HTTP doesn’t support the notion of a session.
  • A session’s data is stored on the server (only 1 session per client)
  • Sessions are often built on top of cookies.
  • The only data the client stores is a cookie holding a unique session ID
  • And on each page request, the client sends its session ID cookie, and the server uses this to find and retrieve the client’s session data

What is Cookie?

  • A cookie is data stored on the client
  • Session Cookie: the default type; a temporary cookie that is stored only in the browser’s memory when the browser is closed, temporary cookies will be erased can not be used for tracking long-term information safer, because no programs other than the browser can access them
  • persistent cookie: one that is stored in a file on the browser’s computer can track long-term information potentially less secure, because users (or programs they run) can open cookie files, see/change the cookie values, etc.

Client/Server communication

  • Client’s browser makes an initial request to the server
  • Server notes client’s IP address/browser, stores some local session data, and sends a session ID back to client
  • client sends that same session ID back to server on future requests
  • server uses session ID to retrieve the data for the client’s session later, like a ticket given at a coat-check room

Where is stored session data?

  • On the client, the session ID is stored as a cookie with the name PHPSESSID/JSESSIONID/ASPSESSIONID
  • On the server, session data are stored as temporary files such as /tmp/sess_fcc17f071…
  • You can find out (or change) the folder where session data is saved using the session_save_path function
  • For very large applications, session data can be stored into a SQL database (or other destination) instead using the session_set_save_handler function

What is session time out ?

  • Because HTTP is stateless, it is hard for the server to know when a user has finished a session
  • Ideally, user explicitly logs out, but many users don’t client deletes session cookies when browser closes
  • Server automatically cleans up old sessions after a period of time old session data consumes resources and may present a security risk adjustable in PHP/JAVA/ASP server settings

How HTTP is stateless ?

  • HTTP is a stateless protocol, which means that the connection between the browser and the server is lost once the transaction ends.
  • For each request, client makes new connection to server