Sessions
- Remember, HTTP is stateless. How do we maintain state then??
- So we implement a 'session protocol' at the app layer. The server has to have some data structure representing sessions in parallel so it can recognize different sessions
- Session processed by server before HTTP response is given to the client
- Lots of variation in how to end a session. One method is relying on timeouts
Mapping Requests to Sessions
- One method is to encode it in the URL. The server creates an encoding and always passes it back to the client. Obviously leads to problems, such as security, how to come up with the session parameter in the client
Authentication
- Logins not anonymous, while sessions can be anonymous
- For redirection after authentication, you store as a session variable the original page, then redirect them back to that page
Cookies
- Small files on the client machine that store attr/val pairs for the server
- Set by server (not requested), sent by client with HTTP protocol (not edited)
- Either side can delete or ignore them
- Contents: Path, Expiration, Secure
- Cookies should be minimal