Customized Session Handling

Web server applications often generate information at runtime that is necessary in order to identify further client requests. In the response to the browser, the server may include a unique string, commonly known as the Session ID. This string is returned by the browser to the server as a part of each subsequent request, allowing the server to identify the unique Web session of which the request is a part. Generally, Session IDs refer to the method the Web server application uses to identify individual users and to associate this identification with the state of the user session information that the application has previously had with those users.

Session IDs can be sent to the client in a number of ways. Most often you will find them included in cookies, or inside HTML as part of URL's used in hyper links or embedded objects, or in hidden HTML form fields. Session IDs are sent back to the server in cookies, URL's, and HTTP post data.

Session Information Inside Cookies

From the server:

Set-Cookie: SessionID=LGIJALLCGEBMIBIMFKOEJIMM; path=/

To the server:

Cookie: SessionID=LGIJALLCGEBMIBIMFKOEJIMM

Session Information in the URL's of HTML Links

From the server:

<html>
  ...
  <a href="/ShopIt/acknowledge.asp?SessionID=LGIJALLCGEBMIBIMFKOEJIMM" > 
  Enter Shop 
  </a>
 ...
</html>

To the server:

GET /ShopIt/acknowledge.asp? SessionID = LGIJALLCGEBMIBIMFKOEJIMM HTTP/1.1

Session Information in Hidden Form Fields

From the server:

<html>
  ...
  <form action="kindofpayment.asp" method="post" >
  Currently we only accept Credit Cards
  <input type="hidden" name="SessionID" value="LGIJALLCGEBMIBIMFKOEJIMM">
  <input type="text" name="name" value="Jack " >
  <input type="submit" name="paymentButton" value="Submit">
  </form>
  ...
</html>

To the server:

POST /ShopIt/kindofpayment.asp HTTP/1.1
...
SessionId=LGIJALLCGEBMIBIMFKOEJIMM&name=Jack&paymentButton=Submit