very basic question .... when does HTTP Session object is created in web application.
Suppose I have a website. Home page of website is HTTP page which contains details of company and link to Login page.
Consider below mentioned user journey as scenario
a. user arrives at home page of website
b. user click on Login page
c. user fill in login details on login page and click on Submit
d. user is successfully authenticated and authorized from back end
e. User specific page is shown
f. user click on logout link
g. user is successfully logged out from website
h. user is redirected to home page
i. user closes browser
in the above mentioned user journey,
a. at which step does HTTP session starts (means at which steps does HTTP Session object is created ? )
b. at which step does HTTP session ends ?
in case required, assume tech stack to be Java 7, Servlet 2.5, JSP, Tomcat 7, Apache web server (for static web contents)
I did on google about this query but could not find concrete answer thereby posting this question here to get some concrete details
Assuming a session doesn't already exist, a session ID is created at step A. The server returns a session ID to the client with the very first response. The client will then include that session ID with every subsequent request. When it ends depends on a couple of things. At step F you have a logout action at which point it's common to invalidate the session. However, if you redirect the user to the home page a brand new session ID will be created because that's a new request.
If you don't invalidate the session it will end when the timeout is reached. The timeout can be set in your code or in the web.xml file. It's a common misconception that a session will invalidate when the user closes their browser, but that's not the case. The server has no way of knowing that the browser has been closed so it depends on the timeout value to end the session if there is no explicit call to the session.invalidate() method.
"The good news about computers is that they do what you tell them to do. The bad news is that they do what you tell them to do." -- Ted Nelson
The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session. The most common scenario where the session ID regeneration is mandatory is during the authentication process, as the privilege level of the user changes from the unauthenticated (or anonymous) state to the authenticated state.
It's a common misconception that a session will invalidate when the user closes their browser, but that's not the case. The server has no way of knowing that the browser has been closed so it depends on the timeout value to end the session if there is no explicit call to the session.invalidate() method.