SESSION MANAGEMENT TECHNIQUES IN WEB APPLICATIONS
A session or ‘web session’ is a collection of online activities done by an individual to web applications within a given period of time. A web session includes activities that are interactive to visitors such as filling out online forms, searching options, and exploring the web application content. Web applications retain session information for multiple requests as well as differentiate between authenticated users and anonymous users.
To manage security controls, protect private data, and provide access to authorized users a session requires a session ID which is used by web application servers to identify authentic users in network communications. An efficient session management technique is required to keep track of multiple session IDs. The different techniques used by web applications for identifying individual sessions are cookies, URL rewriting, SSL, and hidden form fields.
Cookies: A cookie is a small piece of information that is used to identify an individual session. It is created by a web server whenever a user accesses a web application. A cookie gets saved by the web browser to the user’s device and can be used for recognizing users by the web server. Sometimes, multiple cookies are stored in a particular device during a single session. Cookies are used by a particular web server to keep track of a user’s browsing history. They can also be used for tracking a user’s personal information such as username or password.
URL rewriting: It is a process of session management in which a web server rewrites the URL by adding a bit of extra information to each link. The extra information is then used for identifying sessions of a particular user. In this process, a token or a parameter is added to the end of a URL. By clicking on a particular URL that has parameters, a request is sent to the web container to fetch the parameter for session management. This technique is used when browsers are unable to support cookies or a user disables them.
Secure Socket Layer (SSL) Session: The Secure Socket Layer (SSL) is basically a protocol that provides better online security. Web applications can use SSL to generate encrypted session keys to identify each session. Websites and web applications that support SSL have HTTPS instead of HTTP in their URL links. Almost all web applications implement HTTPS for enhanced online security. Encrypted session keys are harder to decipher by unauthorized third parties and are therefore more efficient and popular among web applications.
Hidden Form Fields: In this technique, the web server generates a field that stays hidden from the user. These hidden fields are generated dynamically during every generation of the form page. Hidden fields are used for storing user information and can be retrieved from the web server. Retrieved information is then used by servers to identify a particular session or an authorized user. A session data is added to a hidden field and sent to the Servlet for generating an appropriate response to the user.
Session management techniques ensure a secure way of identifying each session that can be used to provide a positive web application browsing experience. They are also used by web servers to distinguish between an authorized and an unauthorized user to protect personal information.