How Session Works in Web Applications and Why We Need It
In context of web applications, a session is a bucket that holds some information on server side. But the fundamental questions are:
1. What is the nature of this bucket (session)?
2. Why we need a session?
3. How session works?
4. Where the session information is stored?
5. What type of information it holds?
Lets look at each part one-by-one:
1. What is the nature of this bucket (i.e. session)?
As a programmer, you already know data structures e.g. integer, string, stack, map, queue, etc. Session is just a data structure. Its a Map type data structure that holds key/values. The keys are strings and values are objects.
We store data in form of objects and associate a string as key to it. The key is used to retrieve the object from session.
2. Why we need a session?
When user access a web page using web browser from server, the server sends the page and close the connection. But sometime in web application, we also want to identify a user to send him personalized contents (his email, notes, calender etc). One option is, user send his identification information with each request, so that the server component (Servlet, JSP, PHP, ASP.net code) can identify the user and send him personalized contents. Another way is, user send his identification information only once, on subsequent requests, the server could identify the user making the request automatically.
The first approach seems very simple, but its not practical. Because users would not like to send the identification information with each request. It would also look bad from usability point of view (as you know, you login at websites only once, then they remember you for some of time, until you signout).
So the web applications usually use second approach i.e. the user sends the identification information (username and password, for example) only once. When another request is sent by same user, the server identifies the request is form same user. Sessions are used to store some information, when user sends the fist request, on subsequent requests, the server identifies the user using that information.
3. How session works?
If you have used gmail, you know once you login, it shows you your emails, not the inbox of someone else. So it means, after login, when you send a request (e.g. fetch new email to read), the server identifies you. And you know, there are visiting millions of users at same time. But server never make a mistake. So what it does to identify a particular user?
When user submit login form, the server authenticate the user and store your identification information in session. As it creates a new session, a new session ID is generated which can be used to identify the created session. So if there are 1000 sessions active, there must are 1000 session IDs.
What server does it, it sends the Session ID to browser in cookie. When a new request comes, the server checks it cookie, if the Session ID is found, it associate that Session object with Request.
You can think, the server sessions is an object of type Map. The Map has a key and value. The key is the Session ID and value is another Map. So when user send subsequent request to server, before calling our page, the server do something like this (its just a pseudo code):
if (cookie contains SessionID)
String userSessionID = cookie.getCookieValue("SessionID")
Map userSession = (Map) allServerSessions.getValue("userSessionID")
request.setSession(userSession)
end
So when request object is transferred to our page (PHP or Servlet), it contains the session. If we have stored a User object with key "user", then we can retrieve "user" object back like this:
User user = (User) request.getSession().getValue("user")
When we are done with our request processing and creating response object to sent to web browser. Before dispatching response to browser, the server again pads the SessionID with response in form cookie, so that it can identify the user in subsequent requests.
4. Where the session information is stored?
You have read good details above, so you must know, the session information is stored at server. Not in the browser, only session ID is sent to browser, which it send back to server so that its session object can be identified.
5. What type of information the session holds?
As explains, a session is a Map of key values. Where keys are strings and values are objects. So you can store any information into session (e.g. strings, integers, or customs objects) by associating a key to them. For example, to store a Book object, I can choose the key book and store it into session like this.
Book myBook = new Book();
request.getSession().add("book", myBook);
// I can store an email address like this
request.getSession().add("email", "test@example.com")
This would store an object with key "book" into session scope.
