Session

Web Session

A web session is a sequence of network HTTP request and response transactions between associated with the same user. Modern and complex web applications require the retaining of information or status about each user for the duration of multiple requests. Therefore, sessions provide the ability to establish varaibles - such as access rights and localization settings - which will apply to each and every interaction a user has with the web application for the duration of the session.

Usages

• to keep track of anonymous users after their first user request for information such as language preference
• to identify an authenticated user on any subsequent requests as well as to apply security access controls, authorized access to the user’s private data, and increase the usability of the application.

Session ID

The server typically initiates a session when a user logs in to a website. Furthermore, we can identify a session by a unique session ID.

Once an authenticated session has been established, the session ID (or token) is temporaily equivalent to the strongest authentication method used by the application, such as username and password, passphrases, one-time passwords (OTP), client-based digital certificates, smartcards, or biometrics (such as fingerprint or eye retina).

How Web Sessions Work

1. User logs in (login request)
2. Server creates a session with session ID
3. User navigates the application, sending request to the server with session ID
4. The server checks if the session exists by using session ID. If the session exists, send response back to the browser (user).
   • ex: Web applications can store sessions in their database, caches, cookies, etc.
5. User logs out (termination request)
6. The server confirms the termination request and removes the session

Advantages and Disadvantages

References

• Baeldung: What Are Sessions? How Do They Work?
• OWASP: Session Management Cheat Sheet