A Session can be compared to a conversation between user and a website. In more detail, it’s worth pointing out few properties of such conversations:

  • A website can remember what you have said before and can personalise its answers accordingly
  • There are only two parties in the conversation – therefore, it is private

Sessions can be used for many purposes

Sessions are used in any instance where website’s features need to identify the user and provide him/her with personalised content. But to be more concrete, let me provide you with some examples:

  • E-shop basket – Probably the most common example used to explain a session mechanism. The website will remember items in your basket across your visit – in fact, the contents of your basket is stored in the session; which resides on the server-side of the website.
  • User’s account module – The website stores (in the session) the information used to sign-in successfully and based on that, code functions can be used to validate your permissions and provide you with access to your account’s private content.
  • Pre-populated forms – Imagine a letting agency website where you can send enquiries to property owners; instead of filling in whole form with your contact details again and again, a website can remember your first submission and pre-populate all future forms to make your life easier.

There may be many other reasons why sessions are used, but the examples above demonstrate the general principles.

How does it work?

There are a couple of things to question and understand:

  • Where are the sessions details stored? – What’s on your computer? What’s on website server site?
  • How does website identify you and associate your requests with your session data?

The generic answer for the first question is quite simple. All session data (like the contents of your shopping basket) is stored on the server side. On the other hand there is always one small piece of data stored on your computer – SessionID.

The SessionID is also the key to answer the second bullet pointed question. Using SessionID passed in the request website identifies you and links your request with a specified session on the server. Session data on the server-side can be stored in many ways (including database table, files etc). Also, the SessionID on the user side can be kept and passed to the server using different methods (the most common scenario is the SessionID being stored in cookie file). Nevertheless, the data storage methods used are fairly straight-forward:

how sessions work

Is it possible to steal someone’s session?

That’s a tricky topic – but the answer is yes, a session can be stolen. Moreover, it can be stolen in many ways and session security itself is very wide subject; extending beyond the frames of this post. But fear not, this question will not be left unanswered and I will try to cover it in my next post.

Any questions? You’re more than welcome to use the comments box below 🙂