HTTP Session Management

HTTP is a stateless protocol, which means the server doesn’t store state of each client. This has made HTTP more scalable. However, there’re cases where storing the states of client is desired. For example, in a online shop, we add a few items to the shopping chart, and then click “check out” to go to payment page. Without storing the client states, all your added items will disappear when you browse to payment page.

Three solutions are commonly used to solve the problem, including cookies, request parameters and session management.

Cookies

Cookie is a header field in the HTTP request that is sent to the HTTP server. Below is an example of a HTTP header with Cookies,

GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie:PREF=ID=8e70839135a05b7d:TM=1322186390:LM=1322186390:S=x7G8VLPvu7T36ky3

Upon receiving the request, HTTP server can read the Cookie to get the state information it wants. Cookies can be modified both on client and server. It is usually stored as text files on client’s machine. Some browsers (e.g. Chrome) also use SQLite to store it.

Because cookies are simple text files stored at client side, it is possible to view them, modify them and send it to the server. Therefore, it pose a security concern. In addition, if there’s lots of information stored in the cookie, maintaining them increases the bandwidth and affects the server performance.

Request Parameters

There’re two methods generally used to append information to request parameters, adding hidden fields or rewriting URL. If hidden fields are used, the URL shown on the browser is not changed. But users can still see the hidden fields by looking at the HTTP source file. If this approach is used to create a web application, then same hidden fields are used across multiple pages. This makes hidden fields difficult to maintain.

Rewriting URL appends additional information to the URL. The HTTP server can retrieve the state information from the URL. If there’s lots of information, this approach can consume lots of bandwidth and affect server performance.

HTTP Session Management

For HTTP Session Management, the server stores the state information for each client. Each session is associated with a unique session id. The server can store the information in whatever way it wants, in memory, in files, or even in database.

The first a client access the server, the server allocates a session ID for the client and creates a new session. For every subsequent request, the client will send the session ID along with the request. The server use the session id to locate all state information related to the session.

Note that the state information is stored at the client side. However, the client needs to remember the session id. It uses the two methods mentioned above (Cookies and Request Parameters) to store and send the session id.