Wednesday, June 15, 2011

How session management works in asp.net?

I am trying to describe how the session management works in Asp.Net:

First the clients sends the credential to the server. Server validates the credentials and Server construct the actual state information. Then server sends a session token or session identifier to the client as part of a response.

The client sends a request to the server which includes the session identifier. The server validates the session identifier. The server then determines if the user is authorized to execute the request. The server processes the request and sends the response.

Session can be terminated in Expiration and Explicit user logout.
Log out works in the following way.
Client sends the credential with a logout request and then server validates the request and then server updates / deletes any server side state. Server sends response to the client telling to erase session token or session identifier.

Session tokens and Session identifiers:
In case of session tokens the state information is maintained by the client and the client sends it with each request.
In case of session identifer the state information is maintained by the server and the client sends a reference with each request.