Session Handling for Web Applications

Session IDs are sent to clients in a number of ways. Most often they are included in cookies, hyperlink URLs, URLs of embedded objects, and HTML form fields. Session IDs are likewise returned to servers within cookies, URLs, and HTTP post data. See the examples below:

Example: Session information included in a cookie:

Information sent to the client:

Set-Cookie: SessionID=LGIJALLCGEBMIBIMFKOEJIMM; path=/

Information returned to the server:

Cookie: SessionID=LGIJALLCGEBMIBIMFKOEJIMM

Example: Session information included in a URL:

Information sent to the client:

<html>
  …
<a href="/ShopIt/acknowledge.asp?SessionID=LGIJALLCGEBMIBIMFKOEJIMM" > 
  Enter Shop 
</a>
…
</html>

Information returned to the server:

GET /ShopIt/acknowledge.asp? SessionID = LGIJALLCGEBMIBIMFKOEJIMM HTTP/1.1

Example: Session information hidden in a form field:

Information sent to the client:

<html>
  …
<form action="kindofpayment.asp" method="post" >
  Currently we only accept Credit Cards
<input type="hidden" name="SessionID" value="LGIJALLCGEBMIBIMFKOEJIMM">
<input type="text" name="name" value="Jack " >
  <input type="submit" name="paymentButton" value="Submit">
</form>
…
</html>

Information returned to the server:

POST /ShopIt/kindofpayment.asp HTTP/1.1
…
SessionId=LGIJALLCGEBMIBIMFKOEJIMM&name=Jack&paymentButton=Submit