Session management
Encyclopedia
In human-computer interaction, session management is the process of keeping track of a user's activity across sessions
of interaction with the computer system.
Typical session management tasks in a desktop environment
might include keeping track of which applications are open and which documents each application has opened, so that the same state can be restored when the user logs out and logs in later. For a website, session management might involve requiring the user to re-login if the session has expired (i.e., a certain time limit has passed without user activity). It is also used to store information on the server-side between HTTP requests.
-based systems is provided by X session manager
. On Microsoft Windows
systems, no session manager is included in the system. Session management is provided by third-party applications like twinsplay.
A full description of Session Management under X Window-based systems is on the X session manager
page.
where a user can save all open pages and settings and restore them at a later date. To help recover from a system or application crash, pages and settings can also be restored on next run. Google Chrome
, OmniWeb
and Opera
are examples of web browsers that support session management. Other modern browsers such as Mozilla Firefox
support session management through third-party plugins or extensions. Session management is often managed through the application of cookies
.
(HTTP) is stateless: a client computer running a web browser must establish a new Transmission Control Protocol
(TCP) network connection to the web server with each new HTTP GET or POST request. The web server, therefore, cannot rely on an established TCP network connection for longer than a single HTTP GET or POST operation. Session management is the technique used by the web developer to make the stateless HTTP protocol support session state. For example, once a user has authenticated oneself to the web server, his/her next HTTP request (GET or POST) should not cause the web server to ask him/her for him/her account and password again. For a discussion of the methods used to accomplish this please see HTTP cookie
.
The session information is stored on the web server using the session identifier (session ID
) generated as a result of the first (sometimes the first authenticated) request from the end user running a web browser. The "storage" of session IDs and the associated session data (user name, account number, etc.) on the web server is accomplished using a variety of techniques including, but not limited to: local memory, flat files, and databases.
In situations where multiple web servers must share knowledge of session state (as is typical in a cluster environment—see computer cluster) session information must be shared between the cluster nodes that are running web server software. Methods for sharing session state between nodes in a cluster include: multicasting session information to member nodes (see JGroups
for one example of this technique), sharing session information with a partner node using distributed shared memory
or memory virtualization
, sharing session information between nodes using network sockets, storing session information on a shared file system such as the network file system
or the global file system
, or storing the session information outside the cluster in a database
.
If session information is considered transient, volatile data that is not required for non-repudiation
of transactions and doesn't contain data that is subject to compliance auditing (in the U.S. for example, see the Health Insurance Portability and Accountability Act
and the Sarbanes-Oxley Act
for examples of two laws that necessitate compliance auditing) then any method of storing session information can be used. However, if session information is subject to audit compliance, consideration should be given to the method used for session storage, replication, and clustering.
In a service oriented architecture Simple Object Access Protocol or SOAP
messages constructed with Extensible Markup Language (XML
) messages can be used by consumer applications to cause web servers to create sessions.
Session (computer science)
In computer science, in particular networking, a session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user . A session is set up or established at a certain point...
of interaction with the computer system.
Typical session management tasks in a desktop environment
Desktop environment
In graphical computing, a desktop environment commonly refers to a style of graphical user interface derived from the desktop metaphor that is seen on most modern personal computers. These GUIs help the user in easily accessing, configuring, and modifying many important and frequently accessed...
might include keeping track of which applications are open and which documents each application has opened, so that the same state can be restored when the user logs out and logs in later. For a website, session management might involve requiring the user to re-login if the session has expired (i.e., a certain time limit has passed without user activity). It is also used to store information on the server-side between HTTP requests.
Desktop session management
Desktop session manager is a program that can save and restore desktop sessions. A desktop session is all the windows currently running and their current content. Session manager on LinuxLinux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
-based systems is provided by X session manager
X session manager
In the X Window System, an X session manager is a session management program, a program that can save and restore the current state of a set of running applications.- Overview:...
. On Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
systems, no session manager is included in the system. Session management is provided by third-party applications like twinsplay.
A full description of Session Management under X Window-based systems is on the X session manager
X session manager
In the X Window System, an X session manager is a session management program, a program that can save and restore the current state of a set of running applications.- Overview:...
page.
Browser session management
Session management is particularly useful in a web browserWeb browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
where a user can save all open pages and settings and restore them at a later date. To help recover from a system or application crash, pages and settings can also be restored on next run. Google Chrome
Google Chrome
Google Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
, OmniWeb
OmniWeb
OmniWeb is a proprietary Internet web browser developed and marketed by The Omni Group. It is available exclusively for Apple Inc.'s Mac OS X operating system...
and Opera
Opera (web browser)
Opera is a web browser and Internet suite developed by Opera Software with over 200 million users worldwide. The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail messages, managing contacts, chatting on IRC, downloading files via BitTorrent,...
are examples of web browsers that support session management. Other modern browsers such as Mozilla Firefox
Mozilla Firefox
Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...
support session management through third-party plugins or extensions. Session management is often managed through the application of cookies
HTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
.
Web server session management
Hypertext Transfer ProtocolHypertext Transfer Protocol
The Hypertext Transfer Protocol is a networking protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web....
(HTTP) is stateless: a client computer running a web browser must establish a new Transmission Control Protocol
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
(TCP) network connection to the web server with each new HTTP GET or POST request. The web server, therefore, cannot rely on an established TCP network connection for longer than a single HTTP GET or POST operation. Session management is the technique used by the web developer to make the stateless HTTP protocol support session state. For example, once a user has authenticated oneself to the web server, his/her next HTTP request (GET or POST) should not cause the web server to ask him/her for him/her account and password again. For a discussion of the methods used to accomplish this please see HTTP cookie
HTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
.
The session information is stored on the web server using the session identifier (session ID
Session ID
In computer science, a session identifier, session ID or session token is a piece of data that is used in network communications to identify a session, a series of related message exchanges. Session identifiers become necessary in cases where the communications infrastructure uses a stateless...
) generated as a result of the first (sometimes the first authenticated) request from the end user running a web browser. The "storage" of session IDs and the associated session data (user name, account number, etc.) on the web server is accomplished using a variety of techniques including, but not limited to: local memory, flat files, and databases.
In situations where multiple web servers must share knowledge of session state (as is typical in a cluster environment—see computer cluster) session information must be shared between the cluster nodes that are running web server software. Methods for sharing session state between nodes in a cluster include: multicasting session information to member nodes (see JGroups
JGroups
JGroups is a reliable multicast system that's written in the Java language.JGroups adds a "grouping" layer over a transport protocol, internally keeping a list of participants...
for one example of this technique), sharing session information with a partner node using distributed shared memory
Distributed shared memory
Distributed Shared Memory , in Computer Architecture is a form of memory architecture where the memories can be addressed as one address space...
or memory virtualization
Memory virtualization
In computer science, memory virtualization decouples volatile random access memory resources from individual systems in the data center, and then aggregates those resources into a virtualized memory pool available to any computer in the cluster. The memory pool is accessed by the operating system...
, sharing session information between nodes using network sockets, storing session information on a shared file system such as the network file system
Network File System
Network File System is a network file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed. NFS, like many other protocols, builds on the Open Network Computing...
or the global file system
Global File System
In computing, the Global File System is a shared disk file system for Linux computer clusters. This is not to be confused with the Google File System, a proprietary distributed filesystem developed by Google....
, or storing the session information outside the cluster in a database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
.
If session information is considered transient, volatile data that is not required for non-repudiation
Non-repudiation
Non-repudiation refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract. The term is often seen in a legal setting wherein the authenticity of a signature is being challenged...
of transactions and doesn't contain data that is subject to compliance auditing (in the U.S. for example, see the Health Insurance Portability and Accountability Act
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 was enacted by the U.S. Congress and signed by President Bill Clinton in 1996. It was originally sponsored by Sen. Edward Kennedy and Sen. Nancy Kassebaum . Title I of HIPAA protects health insurance coverage for workers and their...
and the Sarbanes-Oxley Act
Sarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
for examples of two laws that necessitate compliance auditing) then any method of storing session information can be used. However, if session information is subject to audit compliance, consideration should be given to the method used for session storage, replication, and clustering.
In a service oriented architecture Simple Object Access Protocol or SOAP
SOAP
SOAP, originally defined as Simple Object Access Protocol, is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks...
messages constructed with Extensible Markup Language (XML
XML
Extensible Markup Language is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications, all gratis open standards....
) messages can be used by consumer applications to cause web servers to create sessions.