The Joel on Software Discussion Group (CLOSED)

A place to discuss Joel on Software. Now closed.

This community works best when people use their real names. Please register for a free account.

Other Groups:
Joel on Software
Business of Software
Design of Software (CLOSED)
.NET Questions (CLOSED)
Fog Creek Copilot

The Old Forum

Your hosts:
Albert D. Kallal
Li-Fan Chen
Stephen Jones

Session ID - How do browsers communicate this to servers?

How do browsers communicate session IDs to servers?

I noticed when I logged into an application, my cookie editor displayed that I have a session ID from the web site.

Are session IDs stored in the same manner as cookies? i.e. as text files on my PC?

The web site I logged into did not transmit the session ID via the URL
Wednesday, February 01, 2006
Session ID's are commonly passed via cookies.
Almost H. Anonymous Send private email
Wednesday, February 01, 2006
Three ways, that I know of:
* Cookie
* Hidden in the HTML

I used a web framework that by default used the URL one, but it sucked big time. I prefer as cookie and hidden in the html, though the advantage of the URL is that it allows one to open the same session from more windows and browsers in an easy way. Cookies are the default way (maybe more than 90% of the sites use it mainly).
Lost in a code jungle
Wednesday, February 01, 2006
Session IDs are typically stored in session cookies.

There are two kinds of cookies. Persistant cookies are the kind you are talking about: they're stored as files on the hard drive.

Session cookies are stored only in memory for the browser session. They never get written to the disk. This is why Outlook Web Access, as an example, when you log off says "be sure to close your browser to complete logoff".

From the HTTP protocol standpoint, session id's are just another cookie.
Chris Tavares Send private email
Wednesday, February 01, 2006
"he advantage of the URL is that it allows one to open the same session from more windows and browsers in an easy way. "

The disadvantage is that users will tend to bookmark URLs that include session IDs and pass them to each other. A session framework that embeds session IDs in URLs must deal with those scenarios gracefully.
Wednesday, February 01, 2006
Session IDs should get timed out so, when a user stops accessing the web app for any amount of time (from 10 min. on a banking system to one hour), the server kills the session.

Next time around, the session doesn't exist in the server so the user has to login again.
GUI Junkie Send private email
Thursday, February 02, 2006
GUI Junkie, that makes sense in some contexts (probably every case where the user has to log in to start a session) but not others. In other contexts, it's frustrating.

Apple's job listings site embeds session IDs in URLs. The sessions time out after a relatively short period of time (no more than an hour). Any attempt to access a URL containing an expires session ID results in a redirection to the index page. The result is that I can't bookmark a job listing, and I can't use my browser's visited link color to tell which ones I've already seen.
Thursday, February 02, 2006

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz