"In computer science, in particular networking, a session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user." ---- Wikipedia
Session: A session in context of Client-Server communication is an exchangeable Token/Key that can be identified by a server to recognize the sender and establish the connection as stateful.
Http is Stateless: HTTP protocol is stateless. Meaning that any information related to a http request-response cycle is lost once the transaction is completed. Hence, a server handles every request in its own isolated context though multiple requests are originated from same client.
Stateful Connection: In this a server preserves specific information related to a client from the first request-response transaction and uses that information to process further requests from the same client until the client or server wants to terminate such connection or conversation. The whole time during(start to terminate) which this communication happens is termed as Session-Time.
Session Mangement a technique to make a Stateless Protocol stateful.
How to establish a stateful connection or in other words how to identify multiple requests are originated from same client?
Answer is a Key/Token called an Identity.
Real world analogy: Imagine you are an employee of a corporate company and you have an Identity Card. Lets say you forgot your ID card one day. What will happen...
-> You will be stopped at the security entrance
-> You will be asked to present your details to identify. The security team make a note of all the details and check with your HR team then will allow you in.
Though its highly unlikely, suppose you forgot ID card for 10 consecutive days. What will happen..
You have to repeat the above 2 steps everyday without another alternative. Doesn't matter you gave your details 1st or 2nd or 3rd day, security team has no concern about the previous visits you paid to the company. It simply asks you to follow the procedure even on the 10th day or any day.
Here, you are client and Security Team is Server. The only saving point is your ID Card which a Token/Key also called Session Token/Session Key.
To summarise...
"Once a user has been authenticated to the web server, the user's next HTTP request (GET or POST) should not cause the web server to ask for the user's account and password again" --- Wikipedia.
There are different techniques to implement session management:
1. Cookies
2. URL Rewriting
3. Http Session management
Though every technique has its own merits, I will discuss about Http Session Management.
HttpServer with inbuilt session management feature creates a session and assign some expiration time-out to it whenever a request comes from a client. The session object is saved to the server's in-memory storage until its time-out. Server then generates a cookie called JSESSIONID(in a J2EE server) with a value and links it with the session created. While sending the response back to client, server attaches this JSESSIONID cookie in the response as part of http headers(normally Set-Cookie). The same JSESSIONID cookie should be passed to server in further requests from the client so that they can be identified by the server of who sent those requests. And server uses the session object to store client specific information in the form of Attribute-Value pairs.
A common and very popular case of Session management is Login-Logout: In this business case, a user initiates a request to login. Server creates a session object and forwards a JSESSIONID cookie back to user's client application. The session remains as long as the cookie is exchanged. The session object gets destroyed in other words session is terminated either when user issues a logout request or session timed out by server.
Here, the combination of Cookie along with Server's In-memory Session Object is used to manage session. Cookie can be called as Token which is associated with a Session object
Who provides Cookie handling mechanism to client applications?
Browser based application:
Now-a-days, all the mainstream browsers have inbuilt mechanism to handle cookies(receiving and sending from/to servers automatically). Developers need not worry about writing code to handle cookies.
Mobile Apps:
Android/iOS developers should explicitly incorporate cookie handling code in their apps to suffice stateful connection with HTTP-servers.
Session management in Server Clusters: In production environments, there is no single instance but a cluster of servers exist.
**Servers and Physical Box:
Physical Box: A computer with RAM, Processor and Storage Space
A single box can have one or more instances of Applications running. Application can be Apache-Tomcat Web Server or JBoss Application server etc.
How can a single box can have multiple server instances running simultaneously?
Ans: Different ports. Means, several Tomcats can be installed on the machine with different port configurations.
A load balancer can channel client requests to the servers. All the servers can be accessed via a single DNS name.
In this case an in-memory session object(specific to a single server) wont be of any help if requests from same client are channeled to multiple servers. The created sessions have to be accessible to all server instances to maintain session.
MemCache is a cache-provider: A common storage space accessible to all server instances where the session objects also called Cache objects are created/retrieved/destroyed. This is how session can be maintained.
Session replication: Similar to memcache. Refer to Apache Webserver's Session Replication.
