It’s a bit clunky for the client to remember to tack the session ID onto every request. Because of this, the session ID is often kept client-side in the form of session cookies. Cookies are tiny pieces of data — text files of max 4kb — the browser stores that are automatically sent with HTTP requests to a web application. Cookies are set by the HTTP response header in key-value pairs:
A session cookie is set with the first HTTP response from the server and persists until the browser is closed or the cookie expires. They look like this in the HTTP header:
This is roughly how a session is implemented with cookies:
- A user goes to a site. The web server creates a session and a session ID.
- In the server’s response, it tells the browser to store a cookie with the session ID (should not include any personal information).
- The session ID cookie automatically attaches to each subsequent HTTP request to the server.
- When the server reads the session ID cookie sent with the next HTTP request, it returns the session data associated with the ID.
- The process continues as long as the session is active.
- The session and session ID cookie expires after a user closes out the browser, logs out, or a predetermined session length (i.e. an hour) passes.
In a new tab, try to find out which cookies are in your browser right now! They can be seen using your browser’s developer tools, which you can access by using the Cmd + alt + i shortcut or the command + option + i shortcut.
Or, you can look for cookies in your browser settings.