views:

188

answers:

5

Since HTTP is a stateless protocol, when a client makes a number of requests to the server, how does the server uniquely identify a particular client's requests over a period of time say t1, t2, t3..

I browsed the web and came across terms like session id, URL rewriting and cookies. But it would be great if someone explains it in a better way. Specifically which part of the HTTP request and response would be used for session tracking?

+1  A: 

Session tracking is a server side thing.

A web server issues some session identifier that is returned to the browser. Browser submits this session identifier along with each request.

This is probably done using cookies transparently for the user.

Developer Art
+1  A: 

the session handling is in most case handled by sending a cookie to the client. that cookie would be sent back to the server on every request from that particular client.

The session id will be associated with some resources on server side (file,ram space) so the server by reading the session id in the cookie can find this resource and then know which client it was.

RageZ
+3  A: 

As you mentioned, common ways to implement HTTP session tracking include URL rewriting and cookies. Session tracking basically requires that a session ID is maintained across multiple requests to the server. This means that each time a given client makes a request to the server, it passes the same session ID. The server can use this ID to lookup the session information it maintains.

When using cookies, the server asks the client to store a cookie by setting the Set-Cookie HTTP response header. This cookie contains the unique session ID assigned to that client - in this example the string 'ABAD1D':

    Set-Cookie: JSESSIONID=ABAD1D;path=/

The cookie is then sent back to the server by the client using the Cookie HTTP request header on each request and thus the server is informed on each request the session ID currently assigned to the client.

    Cookie: JSESSIONID=ABAD1D

When using URL rewriting, this same session ID is instead sent somewhere in the URL. Again, the server extracts the session ID from the URL so that it can lookup the session for a particular client:

    http://my.app.com/index.jsp;JSESSIONID=ABAD1D

However, the server must also make sure that any URLs in the web pages sent back to the client are also rewritten to contain that particular clients session ID. As the session ID is encoded in the URLs, this method of session tracking is transparent to the browser. Often a server will resort to URL rewriting if it finds it is unable to set a session cookie on the client - implying that the client does not support/allow cookies.

Note that sessions can expire. This means that if the server does not 'see' a given session ID for a period of time, it may remove the session data to preserve resources.

teabot
Thanks for the info.. :)
rc
Did you just copy my answer? I can see this site is getting to be a waste of time.
RickNZ
@RickNZ don't lose faith in SO - I did not copy your answer. If you check through my revisions you'll see that I started by explaining HTTP sessions. I then spent some time checking example formats of JSESSIONID in both cookies and URLs, and confirming the HTTP header names. I then added these to my post when I was confident that they were correct.It is not unsurprising that questions such as this will yield similar answers but if you still feel aggrieved I will happily vote to delete my answer.
teabot
@teabot: no worries; it's all good.
RickNZ
+3  A: 

Specifically which part of the HTTP request and response would be used for session tracking?

In the HTTP response, the server can set a cookie. It does so with the Set-Cookie header. For example:

Set-Cookie: session=12345; path=/

The client then returns the value of all cookies that match the properties that were set along with the cookie, which can include path (as above) and domain, and that haven't expired yet.

The cookie is sent back to the server as part of the HTTP headers. For example:

Cookie: session=12345

None of the original property information is sent back with the cookie.

A unique cookie allows the server to associate a unique key with a particular browser instance. The server can then use that key as an index into a hash table or a database table that holds unique per-user state information.

RickNZ
that was really helpful. thanx..
rc
A: 

Taking ASP.NET as an example, ref Fig. 1 in

http://www.codeproject.com/KB/aspnet/SessionTimeoutOnDNN.aspx

Ricky