What is the session
In web projects, a session is the use of an application by a user, usually comprising a sequence of requests.
On the other hand, the session term can also refer to the stored content, location, or storage variable of the state . For example, in Java there is the session map , in PHP the variable superglobal
$_SESSION and so on.
How the session works
To identify that the sequence of actions come from the same user, some technique is used to identify it, being the most common:
Cookies : A session identifier is placed in a Cookie , which will persist at least until the user shuts down or closes the browser. Remembering that Cookies data is sent from the browser to the server for each request.
URL Rewriting : A session identifier is generated on first system access, and all system links add this identifier as a URL parameter. This way, in each request, you can identify the user.
It is then realized that the general procedure is to generate a% single% per user and then cause every request to report this
id in some way, through which the language, framework, or server can store and retrieve the state from the user session.
What makes it secure
Nothing . There are several easy-to-perform attacks on systems that rely only on the session to authenticate and authorize users. The most common is the session hijacking . Just get the Cookie or URL that contains the session handle somehow and put it in another browser.
Security, however, can be implemented fairly efficiently with asymmetric cryptography (HTTPS / SSL). Certificates signed by certifying authorities (CAs) can also be used to ensure that the conversation is actually being made with whom you expect and not with a "stranger." In addition, the content of Cookies could not be intercepted by an intermediary between client and server, since only real agents could decrypt the data with the private key.
The Cookies default specifies a
id partition parameter that forces a Cookie to only be sent if the connection is secure (HTTPS). This can give some assurance that it will not "escape" by mistake in some HTTP request common to the server.
Anyway, I'm not a security expert. Certainly there are many pertinent details to this subject, but I hope this is a good introduction.