What is a Web Session?
A web session refers to the period of time a user is active on a web application. A session starts when a user visits a website and usually ends when they leave the site (either by closing the browser or after a period of inactivity or by logging out).
Why do we need Web Session?
HTTP is a stateless protocol, meaning that every request from a client (browser) to a server is independent. The server does not remember previous interactions.
Without web session, the server would treat every request as if it came from a new user, making it impossible to:
Keep users logged in,
Maintain shopping cart items,
Store user preferences, etc.
How Web Session solves this?
A web session provides a way to track and identify the same user across multiple requests. When a user logs in or interacts with a site, the server creates a web session and assigns a unique session ID to it. This session ID is then sent to the client in the response header (only once). Subsequent requests send the session ID to the server in the request header as a cookie.
Every time the user makes a new request, the browser sends this session ID back to the server, allowing the server to recognize the user.
By using web session, we can store information about the interactions between the user and the application. It allows a website to remember user information across multiple page requests.
How does a Web Session work?
Steps in a Web Session:
User initiates a request → The client (browser) sends an HTTP request to the server.
Server creates a session → If the user logs in or interacts with the site, the server creates a session (only when data is stored in the
session). It assigns a unique session ID and stores the session data in a "Session Store" as a key-value pair.💡Sending session ID in the response→ The session ID is sent to the client as a cookie in the response (only once), while the actual session data is stored either on the client-side (in a cookie) or on the server-side (in a database, memory, or a file). In subsequent responses, server won’t send the session ID to the client.
Subsequent requests use the session ID → The client includes the session ID in every request, allowing the server to recognize the user.
Session expires → If the user is inactive for a set time or logs out, the session is deleted.
Types of Web Session
1) Based on Storage Location
2) Based on Duration
3) Based on Security Mechanism
Security considerations while using Web Session
Measures to enhance security and integrity of session data
Session ID:-
Session ID should be long and randomly generated.
It should be changed periodically during a session.
It shouldn’t be exposed as part of any URL.
Secure Cookies:-
Set the flags HttpOnly and Secure and the attribute SameSite while setting cookies over HTTP.
Set-Cookie: sessionId=bl2gh89gh; HttpOnly; Secure; SameSite=Strict
HttpOnly prevents client-side scripts (JavaScript) from accessing browser cookies, thus preventing XSS (cross-site scripting) attacks.
Secure ensures that cookies are sent over the HTTP domain, preventing interception over unsecured connections.
SameSite helps prevent chances of CSRF attacks.
Session Timeout:-
Can end session after a predefined period of inactivity.
Can terminate session after a fixed duration, regardless of activity.
Helps reduce the time window available for attackers.
💡Must read:- Implementing Session Timeout in Flask
Logging and Monitoring:-
Maintain logs of session creation, access, termination & various events to detect any unusual activity.
Implement real-time monitoring systems to analyze logs and detect anomalies as they occur.
Use automated tools to generate alerts for suspicious activities, enabling proactive investigation and response.
Additional Measures:-
Always encrypt client-side session data (e.g., JWT with HMAC/RS256).
Implement MFA (multi-factor authentication) for security of sessions.
Notify users before session timeout due to inactivity if they want to extend a session.
Thank you for your time! 😊
Connect with me on LinkedIn