web applications - Understanding Session Expiration -
looking @ owasp session management cheat sheet, every time session expires, must user go through same pre-auth --> auth --> ... steps make new session?
for example, if session expires , web app requires authentication, user have log web app before getting new session?
sessions maintained cookies.
http stateless protocol. every request server works in isolation. no request has information previous request.
say user named a logs in site. site works session , sets session data user. internally server creates value , associates particular user. value 12345 computed , associated user a. server decides give value's name sessionid. sends sessionid in cookie , cookie stored on user's browser. next time user a makes request cookie sent server. server reads cookie sessionid, , finds it. sees user value in cookie i.e 12345 associated. finds value associated user a , user a, making request.
say cookie expires, can various reasons. either user deletes cookie on end. or after days, server cleans association between user , session. in case server not able know user making request. , hence entire flow of login user, seesion generation have take place.
so, yes, if session expires , web app requires authentication, user have login again
Comments
Post a Comment