8.2 Session Management Over the Web

Previous page
Table of content
Next page
only for RuBoard - do not distribute or recompile

8.2 Session Management Over the Web

Storing the state in the web server the middle tier can solve the problem of increased request size and protect the state of an application from accidental or intentional changes a user might make.

A session is a way to identify and manage the state the session variables -- for a particular user. When a user sends an HTTP request, the middle tier must process the current request in the context of the user's session. When a session is started, the client is given a session identifier -- often a cookie that is included with subsequent requests to the server. The server uses the session identifier to locate the corresponding session before processing the request.

Rather than storing all the variables needed to maintain state and include them with each request, the browser stores a single session identifier that finds and initializes the variables stored on the server. The session identifier is like the ticket given at a cloak room. The ticket is much easier to carry around and ensures that the holder gets her own hat and coat.

One implication of storing session variables in the middle tier is that data needs to be stored for each session. The question is, for how long? Because HTTP is stateless, there is no way to know when a user has finished with a session. Ideally, the user logs out of an application, and the logout script ends the session. However, because a server can never be sure if a user is still there, the server needs to clean up old sessions that have not been used for a period of time. This last point is important, because sessions consume resources on the server, and dormant sessions may present a security risk. How long the timeout should be depends on the needs of the application, and we discuss this in more detail later in this chapter.

In summary, there are three characteristics session management over the Web must exhibit:

  • Information or state must be stored. For example, a selected bottle of wine in a shopping cart, a customer name, or a credit card number must be maintained across multiple HTTP requests.

  • Each HTTP request must carry an identifier that allows the server to process the request in the context of the stored state. For example, when an order is submitted, it must be processed with the correct items and customer details.

  • Sessions need to have a timeout . Otherwise, if a user leaves the web site, there is no way the server can tell when the session should end.

only for RuBoard - do not distribute or recompile

Previous page
Table of content
Next page
Web Database Applications with PHP & MySQL
Web Database Applications with PHP & MySQL, 2nd Edition
ISBN: 0596005431
EAN: 2147483647
Year: 2002
Pages: 134
Authors: Hugh E. Williams, David Lane
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Mastering Delphi 7
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
MPLS Configuration on Cisco IOS Software
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy