The aim of this article is to provide a simple explanation of how website sessions work.
In plain, non-technical terms, a session is a “connection” between you and the website that you are visiting.
When you visit a website for the first time, the server will issue you with a unique session identifier. This identifier is a lengthy string of characters that is stored inside a text file on your computer.
This text file is what we call a “cookie”.
On the server-side, session data relating to your visit will be stored and “filed” under the same identifier.
This identifier “ties” you to the session data on the server. If you delete the cookie, the identifier will cease to exist and the website in question will treat you like a new visitor.
Session Metaphor / Simple Explanation
You walk into a building and the receptionist realizes that you do not have a visitor’s badge. The receptionist writes the code “ES23” on a sticker and hands it to you.
She then takes out a plastic folder and writes “ES23” on the front of it. She writes your name, your car registration number and the time that you entered the building on a piece of paper.
After that, the receptionist inserts the piece of paper into the “ES23” folder and files it in a cabinet beside her desk.
After this short exchange, you go on about your business, meeting with various people and entering several different rooms.
At one point, while you are walking towards the restroom, a security guard stops you in the corridor and politely informs you that he will need to run a check on your visitor’s badge. “It’s company policy”, he says. He calls the receptionist and asks her if a record for “ES23” exists. In response to this request, the receptionist checks her filing cabinet and finds the folder with “ES23” written on it. She takes it out, reads the piece of paper inside it and informs the security guard that your name is “David Smith” and that you entered the building at 10:00AM. All is well and security guard thanks you for your patience.
Later on, during lunch time, you leave the building for an hour in order to get some food at a local diner. You arrive back an hour later and the receptionist confirms the validity of your badge number by checking the filing cabinet. “Thank you Mr Smith”, she says. “You can go back into the main building now.”
During the afternoon, the sticker on your jumper begins to lose its stickiness. In a moment of shortsightedness, you decide to tear it off and throw it into a nearby bin. This works against you, however, as moments later, another security guard stops you and asks you for your visitor’s badge.
You explain to him that you no longer have your badge and he informs you that you will need to sign back in at the receptionist’s desk. “Sorry, but it’s company policy sir”, he tells you. “This is a secure area and it requires authentication at all times.”
At the receptionist’s desk, your details are taken again and you are issued with another visitor’s badge. This time, you receive a badge with the code “DS32”.
The old folder, marked “ES23”, still exists. However, it is no longer of any use. As a result, the receptionist will throw it out during the next “clean-up”.
A new folder marked “DS32” is inserted into the cabinet and it contains information about your name, your car registration number and the time that you were issued with your visitor’s badge.
After a long day of meeting tour guides and conversing with office personnel, you decide to head home. The next morning, you realize that you left your business laptop in the building that you visited the day before. “I’ll go back in and get it on the way to work”, you think to yourself.
Knowing that you still have your visitor’s badge from the day before, you take it out of your pocket and show it to the receptionist in the lobby.
The receptionist searches her filing cabinet but she can’t seem to find a folder marked “DS32”. “I’m sorry sir, but I can’t seem to find any information on your visitor’s badge. Did you receive this badge today?”, she asks.
“No, this one is from yesterday afternoon”, you respond.
“Oh, well, we usually set an expiration time on visits. We probably threw the folder out yesterday evening. If you bear with me for a second, I’ll just take down your information and you can be on your way.”
She takes down your information and gives you a new badge. This time, the badge says “YF21”. You can now enter the main building again.
Summary
In the metaphor above.
- The badge is a “cookie”. i.e. The text file on your computer.
- The ID number on the badge is a session identifier.
- The lobby could be a login form on a website.
- The main part of the building is a control panel / members-only area.
- The filing cabinet is a place where session data is stored. This could be a folder on the server or a database table.
- The security guard is a piece of software that authenticates users. i.e. A piece of code that checks to see if your session identifier matches up with an authenticated user.
- The receptionist is a session handler. She gives out sessions to new visitors, she stores information about them and she decides when to purge expired session data.
- Throwing your badge in the bin was like clearing your browser history / cookies.