Web session is a popular term that appear frequently in the web development world. This article will briefly cover everything you need to know about web session.
What is a web session ?
A Web session is a data structure that a web application uses to store temporary data in the server-side while a user is interacting with the application. A session is dedicated to only one connection of user and usually contains data about that user e.g, username, password.
Session stores data in form of key/value pair with key is session_id and value is the stored data. Imagine in a web application, there are multiple clients so how does the server know which sessions belong to whom? That is when session_id comes into play.
Note: 1 connection corresponds to 1 session so even if the same user connects to the web application using two 2 different browsers, the server will create 2 sessions with 2 session_id.
Why do we need web session?
Firstly, we need to know that client and server in a web application communicate with each other via HTTP protocol. The HTTP protocol is stateless, which means each HTTP request is isolated and independent of other requests. The server just receives and handle request without knowing what happened before this request.
Imagine that users are logged in to a website, then every time they do an action, the website asked them to log in again because it doesn’t know who they are due to the statelessness of HTTP protocol. The website doesn’t know that they are already logged in before. So to handle this problem, we need to attach user credentials (username, password) somewhere inside the HTTP request while users are using our application, this is why we need a session.
For example, if you go to a hospital, you provide the hospital with your personal information and your medical record. Then, the hospital gives you a temporary patient number and so wherever in the hospital, you just declare this number and the doctors/ the nurses know who you are and what your problem is without asking for your information again. When you leave this hospital, the patient number also expires.
The analogy above is the same as how a session works with the patient number is session_id.
How does session work?
I will explain how a session works in steps and diagram below:
1. The user sends a login request to the server.
2. The server authenticates the login request, create a new session with session_id as a key, and store username, password in session value. The server sends this session to database and returns a cookie containing the session_id to the user. This cookie is stored on browser.
3. Now, the user sends a new request and the cookie above is automatically attached to the header of this request.
4. The server gets the session_id from the cookie of this new request, and look up this id in the database. If the id is found, the server knows that this user is already authenticated so it returns the response.
Usage of session
Because session is used to store temporary data of user, so session will be very useful in many cases in terms of improving user experience. I will list some scenarios that session can be helpful:
- As mentioned above, session can store user credentials so users won’t need to log in again every time they send a request. The credentials are stored on server-side so it is secured. Furthermore, if the security team suspects an account is being attacked, they can invalidate the session_id to protect the account.
- In some product websites like product websites, the website can display the products that you searched for or visited recently while surfing the web. This is because the website stores the product ID in your session.
- For an e-commerce website, session can store a list of products that users have added to a shopping cart.
Session Expired
A session is specific to a connection of user, so if user logs out of a web application, the session will end.
However, in case the user never logs out and just closes the browser, the user will remain logged in eternally. That’s why we need the session to expire which means the session will automatically end after a customizable duration. By doing that, it will prevent someone hijacking your cookie to use it later against you.
Summary
So session is a kind of storage that stores temporary data of user on the server-side. Thanks to that, the web application can deliver a very responsive personalized experience for many users at the same time.
Session is usually confused with cookies and sometimes with token-based authentication. Understanding deeply these terms will help a lot in the world of web application development. Good luck to you!
