But when it times for the shopping cart or other e-commence to be emerged, we need something better than the stateless http. Then SESSION cookies come into action. The main purpose of the SESSION cookie is to identify each request from the user to be able to provide user specific information.
The essential part of the session cookie is the Session ID. The name of the Session ID is different for different programming languages. For example, ASPSESSIONID for Asp and JSESSIONID for Java.
Here I'll talk about ASPSESSIONID. Asp Session ID has both key and value just like normal cookie. The key will start with the word "ASPSESSIONID" and it will be appended with randomly generated characters to have total length of 20 characters key. And Session ID values are 32-bit integers and each time web server is restarted, random session id will be generated. For subsequent request, the session id will be increased by 1 number.
You can see the real session id by executing the following scripts:
Session ID = <%= Session.SessionID %>
And the response is similar to this.
Session ID = 845888955
That's what you will see when you work at the server side. But this plain value will be encrypted as explain above and send it to the browser as a session cookie and it will look something like this:
ASPSESSIONIDASDTTQAS=FKNDLGCDGCBGKEGABELPFEIBHere "ASPSESSIONID" is fixed all the time and appended with randomly generated "ASDTTQAS". The integer value "845888955" is encrypted as "FKNDLGCDGCBGKEGABELPFEIB".
Important!
If you don't set the cookie expiration or if you don't clear the browser cache, this session ID and value will be used for all future requests even if you close the browser and open again.
You can execute this script to see the above session cookie.
<%= Request.ServerVariables("HTTP_COOKIE") %>
Or you can use javascript alert.
alert(document.cookie);
For the very first request from the browser, there is no session cookie in the request and the request header will look something like this:
For the very first request from the browser, there is no session cookie in the request and the request header will look something like this:
GET /somepage.asp HTTP/1.1
Host: 1.2.3.4
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729; .NET4.0E)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Host: 1.2.3.4
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729; .NET4.0E)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
And if the web server doesn't detect any session cookie in the header or it detects invalid session cookie, it will generate new session id and sent it back to the browser in response header. Here is the sample response
HTTP/1.1 200 OK
Date: Thu, 13 Jan 2011 02:17:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: CP = “IDC ADM HIS OUR IND”
Content-Length: 410
Content-Type: text/html
Set-Cookie: ASPSESSIONIDASDTTQAS=FNNDLGCDBAPCAHACKCKNLOCA; path=/
Cache-Control: private
Date: Thu, 13 Jan 2011 02:17:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: CP = “IDC ADM HIS OUR IND”
Content-Length: 410
Content-Type: text/html
Set-Cookie: ASPSESSIONIDASDTTQAS=FNNDLGCDBAPCAHACKCKNLOCA; path=/
Cache-Control: private
In all subsequent request, the browser will include session cookie in all request headers.
GET /anotherpage.asp HTTP/1.1
Host: 1.2.3.4
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729; .NET4.0E)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: ASPSESSIONIDASDTTQAS=FNNDLGCDBAPCAHACKCKNLOCA
Cache-Control: max-age=0
In this way, web server can identify each request from all over the world and send the respective information back to the user.
There is one interesting thing to note if you need to work with Asp Session ID. You can terminate or abandon the current session by executing this script
<% Session.Abandon() %>
This will only terminate the current session in the web server and the server will clear all values store in session by using Session("somekey") = "Some Value". However, the browser session key and value will not be clear out and will not be changed. If you make a new request to the web server, the same session key and value will be sent from the browser and the web server will create new session with the key and value provided by the browser. After you abandon your session and you want new session key and value, you have to assign invalid value to session id to force the web server to re-generate new session id.
Thanks for reading and hope worth reading!
There is one interesting thing to note if you need to work with Asp Session ID. You can terminate or abandon the current session by executing this script
<% Session.Abandon() %>
This will only terminate the current session in the web server and the server will clear all values store in session by using Session("somekey") = "Some Value". However, the browser session key and value will not be clear out and will not be changed. If you make a new request to the web server, the same session key and value will be sent from the browser and the web server will create new session with the key and value provided by the browser. After you abandon your session and you want new session key and value, you have to assign invalid value to session id to force the web server to re-generate new session id.
Thanks for reading and hope worth reading!
great
ReplyDelete