How does IIS recognize different sessions in .NET

Question

Suppose I have logged into an application which is running from IIS. Now I haven't logged out, but closed the browser. And when I'm accessing the application again, it defaults to the login page. How does IIS recognize that it is a new request and redirects the user to the login page?

I have another doubt. Suppose if I'm not closing the browser, which I used when I logged in. I'm opening the new browser to request a page from same application. IIS recognizes that it's a new request to the application and redirects the user to login page. Why does it not use the existing session or cookies which the first browser uses?

Please dont get irritated of my continous questions...iam having huge confusion. We say http is a stateless protocol. Once the page is requested i have logged in.And http protocol connection will be terminated between IIS and browser right? Then iam navigating to other pages in that logged in application. Now iis recognises user has logged in this browser. But when i open a new browser and request that application how does iis recognises it is a new request. Since the http protocol is disconnected, how it works in the first case

Answer 1

There are cookies that are passed always no matter are you logged or not. They are mapped to session in IIS.

Answer 2

Check out these links. might be helpful -

http://www.lattimore.id.au/2006/06/03/iis-dropping-sessions/

http://www.codeproject.com/KB/aspnet/SessionManagementAspNet.aspx

Answer 3

As you've correctly said, HTTP itself is stateless, and each request is technically separate from every other. Sessions, as used by web sites, are a workaround for that. What happens, normally, is that the server stores whatever info it cares to maintain (like the logged-in user's username or ID, for example), and assigns that information an ID. It then tells the browser that ID, in such a way that the browser can hand the ID back when it's time to make another request. If the browser works as expected, then that information can be retrieved, updated, etc with each request, providing some degree of state even over a stateless protocol.

Sessions are usually implemented using cookies. That is, the server hands the browser a cookie with the session ID, and the browser hands back that same cookie with each request until the cookie expires or is otherwise forgotten. Some cookies (so-called "session cookies") aren't saved, and are forgotten when the browser is closed. A freshly opened browser doesn't have a session cookie to pass, so if the server uses session cookies to do sessions (which it should), it will consider the user not yet logged in and bounce them to the login page if they need to be logged in.

Session cookies will usually be shared between tabs in the same browser, and will sometimes even be shared by windows opened by "File > New Window" from an already running browser, because both of those cases will just be a part of that browser. But if you start the browser from the Start menu, or however your OS lets you start a program, it's a whole other process -- and session cookies are rarely shared between processes.

The server usually also keeps track of sessions on its end for a limited time (which may be a few minutes or years, depending on the server and/or site settings) after the last request that used the session. If the browser passes a cookie that corresponds to a session the server no longer remembers, it'll act as if there's no session at all. Which, in cases where you have to log in, will again bounce to the login page.