Home »
Uncategories »
Session and Cookies
Session and Cookies
What is web Session?
- An abstract concept to represent a series of HTTP requests and responses
between a specific web browser and server. HTTP doesn’t support the
notion of a session.
- A session’s data is stored on the server (only 1 session per client)
- Sessions are often built on top of cookies.
- The only data the client stores is a cookie holding a unique session ID
- And on each page request, the client sends its session ID cookie, and the
server uses this to find and retrieve the client’s session data
What is Cookie?
- A cookie is data stored on the client
- Session Cookie: the default type; a temporary cookie that is stored only in the browser’s memory when the browser is closed, temporary cookies will be erased
can not be used for tracking long-term information safer, because no programs other than the browser can access them
- persistent cookie: one that is stored in a file on the browser’s computer
can track long-term information potentially less secure, because users (or programs they run) can open cookie files, see/change the cookie values, etc.
Client/Server communication
- Client’s browser makes an initial request to the server
- Server notes client’s IP address/browser, stores some local session data, and sends a session ID back to client
- client sends that same session ID back to server on future requests
- server uses session ID to retrieve the data for the client’s session later, like a ticket given at a coat-check room
Where is stored session data?
- On the client, the session ID is stored as a cookie with the name PHPSESSID/JSESSIONID/ASPSESSIONID
- On the server, session data are stored as temporary files such as /tmp/sess_fcc17f071…
- You can find out (or change) the folder where session data is saved using the session_save_path function
- For very large applications, session data can be stored into a SQL database (or other destination) instead using the session_set_save_handler function
What is session time out ?
- Because HTTP is stateless, it is hard for the server to know when a user
has finished a session
- Ideally, user explicitly logs out, but many users don’t client deletes
session cookies when browser closes
- Server automatically cleans up old sessions after a period of time
old session data consumes resources and may present a security risk
adjustable in PHP/JAVA/ASP server settings
How HTTP is stateless ?
- HTTP is a stateless protocol, which means that the connection between the browser and the server is lost once the transaction ends.
- For each request, client makes new connection to server
1 comments: