Sessions And Session Tracking for webapps

A session is a period of user interaction with a website or application, the period from the starting when the user access the sites to ending when user leaves.

Session tracking is the process of monitoring user session in a website or application.

Session tracking provides insights into user behavior, such as the number of sessions, session duration, popular pages, conversion rates, and more. This data is valuable for optimizing website performance, improving user engagement, and making data-driven decisions.

Methods

Sessions can be tracked using:

1. Cookies
2. URL rewriting
3. Server side sessions

1. Cookies

Cookies are small text files stored in users system, used to store user browsing activities and preferences. The duration or “lasting” of cookies used for session tracking can be controlled by setting the appropriate expiration time.

Session cookies are temporary and exist only for the duration of the user’s session. Persistent cookies have a defined expiration time set by the server when they are created.

2. URL rewriting

It is commonly employed by web servers and web applications to create user-friendly and search engine-friendly URLs or to handle dynamic content.

URL rewriting, also known as URL manipulation or URL rewriting engine, is a technique used to modify the URL of a webpage requested by a user. It is commonly employed by web servers and web applications to create user-friendly and search engine-friendly URLs or to handle dynamic content.

The process of URL rewriting involves intercepting an incoming URL request and modifying it before it is processed by the web server or application. This modification can be done based on predefined rules or patterns, which are typically defined in a configuration file.

3. Server-side session

session data is stored on the server-side. This approach involves generating a unique session identifier for each client and maintaining the session state on the server.

The server maintains a data structure or database to store relevant session data. When user access a website, server generates a unique identifier where these are passed as URL parameters or HTTP headers or stored in cookies.

Server-side sessions offer advantages such as better security control, as the session data is stored on the server and not exposed to the client. They also allow for more complex session management features, such as session invalidation, revocation, or fine-grained control over session data.

However, server-side sessions may require more server resources and introduce potential scalability challenges, especially in high-traffic scenarios. Session storage mechanisms like databases or distributed caching systems are often used to handle the storage and retrieval of session data efficiently.

In a server-side cookie implementation, typically, only one session identifier is provided for each client. The session identifier serves as a unique token that allows the server to identify and associate the client’s requests with their corresponding session data.

Here’s how it generally works:

1. Client Request:

   • When a client (e.g., a web browser) makes a request to the server, it includes the session identifier as a cookie in the request headers.
   • The session identifier is sent back to the server with each subsequent request from the client, allowing the server to recognize and track the client’s session.

2. Server-Side Session Management:

   • On the server-side, the session identifier is used to retrieve the associated session data.
   • The server maintains a mapping between session identifiers and session data, allowing it to look up and update the session state as needed.
   • The session identifier provided to the client typically remains the same throughout the client’s session.
   • As long as the session is active, the client continues to include the same session identifier in its requests.
   • The server uses this session identifier to identify the client’s session and retrieve the corresponding session data.

It’s important to note that session identifiers should be unique and difficult to guess to prevent unauthorized access. Additionally, appropriate security measures should be implemented to protect the session identifier, such as using secure HTTP (HTTPS) connections and encrypting sensitive data within the session identifier or session data.

In some cases, there may be scenarios where multiple session identifiers are used for a single client, such as when implementing a multi-device or multi-tab/session application. Each device or session may have its own session identifier, allowing the server to manage separate session states. However, this depends on the specific implementation requirements and is not the typical approach for a standard server-side session management.

Server Side Session Management Features

1. Session Invalidation
2. Revocation