What's a session anyway?

published in August 2003

A web server is not expected to remember who you are. After a browser retrieves a web page it closes the connection to the web server. (This is not strictly true with HTTP 1.1 but it has little significance for us.) What all this means is that if you logged into a website and tried access your personal information, the webserver by itself wouldn't know that you are already logged in and wouldn't give you access to this information. The fact that this doesn't usually happen is thanks mainly to sessions.

In contrast other protocols such as IMAP or POP3 when you open a connection it's kept open until you log out or get timed out due to inactivity. All your mail retrival and folder management would be done with this open IMAP connection and the server remembers who you are.

So in short web applications make use of sessions to remeber who are instead of making use of an open socket connection as many other protocols do.

Many people have come to believe that sessions and cookies are one and the same, that is not correct, cookies are merely the most common implementation of sessions. With cookies the persistant data is stored on the client computer. The browser is expected send the cookie to the server with each request.

There are session managements systems where the data is stored on the webserver instead of on the client. This is usually considered more secure than cookies since the data is not passed back and forth between the user and the server and therefore it's less likely to be intercepted.

The first version of megaupload used cookies for persistence, but lots of developers who downloaded the software wanted them removed as a result later versions uses only server side storage.

You might find the RFC on cookies interesting reading.