views:

174

answers:

1

I just finished taking a final exam on web applications. Capping off what had been a rather easy (albeit lengthy - 12 pages) exam was a question asking us to code an implementation of sessions, similar to that done by javax.http.HttpSession.

I hate to admit, it stumped me. I cranked out a rather BS implemetation using a HashMap and did some craziness with a random cookie string mapping to a serialized HashMap on the server, but I'm pretty sure it's bogus...and now I'm dying to know how it's actually done.

Particularly as someone who has used PHP extensively but for whatever reason never bothered to learn the magic behind the convenience, I'm very interested to learn more about the underlying implementations of sessions. J2EE and PHP for sure, but any other languages/frameworks are great, too. Thanks!

+6  A: 

From my understanding - you're close.

From my understanding a cookie with what is essentially an MD5 "ID" is saved on the client side and delivered via cookie or modified GET.

On the server side the "session" data with matched sessionID is saved in a temp file (on Linux it is defaulted to /tmp). The session directory I believe can be set in the PHP.ini file.

ChronoFish
+1, very concise summary. In PHP you can also implement your own session control handlers very easily, in case you want to use a database or other source for your session data. Essentially, a session is just a unique set of data with a few methods to interact with it (save, update, delete), and the data is tied to a user via a small identifiable token, ie. a cookie or GET parameter.
zombat
It's probably worth calling out that the names of the cookies are JSESSIONID and PHPSESSIONID respectively. They also don't need to necessarily be cookies. They can be part of the URL like ;jsessionid=<id> or ;phpsessionid=<id>.
Taylor Leese
A good way to understand the HTTP side of sessions is something like HTTP headers: https://addons.mozilla.org/en-US/firefox/addon/3829
Taylor Leese