• Post Reply Bookmark Topic Watch Topic
  • New Topic

HTTP Session query  RSS feed

 
Abhay Agarwal
Ranch Hand
Posts: 1376
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
very basic question .... when does HTTP Session object is created in web application.
Suppose I have a website. Home page of website is HTTP page which contains details of company and link to Login page.

Consider below mentioned user journey as scenario
a. user arrives at home page of website
b. user click on Login page
c. user fill in login details on login page and click on Submit
d. user is successfully authenticated and authorized from back end
e. User specific page is shown
f. user click on logout link
g. user is successfully logged out from website
h. user is redirected to home page
i. user closes browser

in the above mentioned user journey,
a. at which step does HTTP session starts (means at which steps does HTTP Session object is created ? )
b. at which step does HTTP session ends ?

in case required, assume tech stack to be Java 7, Servlet 2.5, JSP, Tomcat 7, Apache web server (for static web contents)

I did on google about this query but could not find concrete answer thereby posting this question here to get some concrete details
 
J. Kevin Robbins
Bartender
Posts: 1801
28
Chrome Eclipse IDE Firefox Browser jQuery Linux MySQL Database Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Assuming a session doesn't already exist, a session ID is created at step A. The server returns a session ID to the client with the very first response. The client will then include that session ID with every subsequent request. When it ends depends on a couple of things. At step F you have a logout action at which point it's common to invalidate the session. However, if you redirect the user to the home page a brand new session ID will be created because that's a new request.

If you don't invalidate the session it will end when the timeout is reached. The timeout can be set in your code or in the web.xml file. It's a common misconception that a session will invalidate when the user closes their browser, but that's not the case. The server has no way of knowing that the browser has been closed so it depends on the timeout value to end the session if there is no explicit call to the session.invalidate() method.
 
Sresh Rangi
Ranch Hand
Posts: 54
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's also common to create a new session when the user is authenticated. This is needed to prevent some session hijacking attacks.

See OWASP Session Management Cheat Sheet:

The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session. The most common scenario where the session ID regeneration is mandatory is during the authentication process, as the privilege level of the user changes from the unauthenticated (or anonymous) state to the authenticated state.
 
Abhay Agarwal
Ranch Hand
Posts: 1376
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for this info
It's a common misconception that a session will invalidate when the user closes their browser, but that's not the case. The server has no way of knowing that the browser has been closed so it depends on the timeout value to end the session if there is no explicit call to the session.invalidate() method.
 
Abhay Agarwal
Ranch Hand
Posts: 1376
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for this info
It's also common to create a new session when the user is authenticated. This is needed to prevent some session hijacking attacks.
 
Abhay Agarwal
Ranch Hand
Posts: 1376
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for all the replies. My Query is answered.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!