Lecture 20: Web Commerce Technologies

State Maintenance and Sessions

Most modern Web Commerce sites use the concept of a Web session -- a series of Web requests and responses linked together by a state variable called a session identifier. A first visit to the sites "home page" creates a new session, and the HTTP response is associated with a new session identifier, or SID. All subsequent transactions are labelled with the same SID.

The session identifier is commonly a (very) large random number possibly combined with a (hashed) combination of the some other client information -- maybe the IP address of the client.
Session management can be rather messy on the server, since information must be maintained about all "current" sessions, and decisions must be made as to the deletion of "expired" sessions.
The SID must (obviously) be passed back and forward between the server and the browser on every transaction. Modern practice is to use a "belt-and-braces" approach here, with the information duplicated in hidden fields, cookies (which could be disabled in the browser) and also in dynamically-generated Extra Path Information URLs. For example, the CDnow page on your lecturer's browser at this instant has the URL (some sections deleted to fit): http://www.cdnow.com/cgi-bin/mserver/SID=1391321707 It's obvious that every URL in the page has to have exactly the same information, and a quick "View Source" verfies this. At this particular site, the same information is also sent as a cookie, although hidden fields are (apparently) not used.

previous | start | next