Chapter 11. Manipulating Sessions
It is one thing to show a man that he is in error, and another to put him in possession of truth.
A session, at the most basic level, refers to all the connections a web browser makes to the web server during a single normal use. You can think of a session as a single sitting; the time and activities from when a user first browses to the application until the user logs out is one session. There are two aspects to establishing and maintaining a session. The first piece is a unique “session ID,” which is some kind of identifier that the server allocates and sends to your browser (or other client, like Flash Player). The second piece is some data that the server associates with your session ID. If you are familiar with databases, you can think of the session ID conceptually as a row in a database that corresponds with all the things you’re doing (the contents of your shopping cart, the expiration of your session, your role in the system, etc.). The session ID, then, is the unique key that the server uses to look up your row in the database. In some systems, that’s literally how it is. In other systems, the actual storage of sessions is completely different, but conceptually they work this way.
Maintaining data during a session makes life easier for users. The shopping cart metaphor is a prime example—online shopping carts retain the items you place in them until you log out or abandon the site. Without maintaining session data, the application ...
Get Web Security Testing Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.