Created
December 3, 2015 14:03
-
-
Save mehikmat/737874d053d0ac48bcdb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
What is web Session? | |
-------------------- | |
- An abstract concept to represent a series of HTTP requests and responses | |
between a specific web browser and server. HTTP doesn't support the | |
notion of a session. | |
- A session's data is stored on the server (only 1 session per client) | |
- Sessions are often built on top of cookies. | |
- The only data the client stores is a cookie holding a unique session ID | |
- And on each page request, the client sends its session ID cookie, and the | |
server uses this to find and retrieve the client's session data | |
What is Cookie? | |
---------------- | |
- A cookie is data stored on the client | |
- **Session Cookie:** the default type; a temporary cookie that is stored only in the browser's memory when the browser is closed, temporary cookies will be erased | |
can not be used for tracking long-term information safer, because no programs other than the browser can access them | |
- **persistent cookie:** one that is stored in a file on the browser's computer | |
can track long-term information potentially less secure, because users (or programs they run) can open cookie files, see/change the cookie values, etc. | |
Client/Server communication | |
---------------------------- | |
- Client's browser makes an initial request to the server | |
- Server notes client's IP address/browser, stores some local session data, and sends a session ID back to client | |
- client sends that same session ID back to server on future requests | |
- server uses session ID to retrieve the data for the client's session later, like a ticket given at a coat-check room | |
Where is stored session data? | |
---------------------------- | |
- On the client, the session ID is stored as a cookie with the name PHPSESSID/JSESSIONID/ASPSESSIONID | |
- On the server, session data are stored as temporary files such as /tmp/sess_fcc17f071... | |
- You can find out (or change) the folder where session data is saved using the session_save_path function | |
- For very large applications, session data can be stored into a SQL database (or other destination) instead using the session_set_save_handler function | |
What is session time out ? | |
------------------ | |
- Because HTTP is stateless, it is hard for the server to know when a user | |
has finished a session | |
- Ideally, user explicitly logs out, but many users don't client deletes | |
session cookies when browser closes | |
- Server automatically cleans up old sessions after a period of time | |
old session data consumes resources and may present a security risk | |
adjustable in PHP/JAVA/ASP server settings | |
How HTTP is stateless ? | |
------------------------ | |
- HTTP is a stateless protocol, which means that the connection between the browser and the server is lost once the transaction ends. | |
- For each request, client makes new connection to server |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment