n session is a persistent value kept through out the client session. A client session is the period starting from the web site first being accessed by a particular browser run, until that browser instance closes.
A session is implemented by a 128-bit session key stored at the client browser as a cookie. The session context is stored at the server side and therefore is secured from client-side hacking. The server uses the session key cookie from the client to determine which session context to load. A client cannot tap into a session unless it has the knowledge of the 128-bit key of the targeted session, which is virtually impossible.
Please note that Login and logout do not start and finish a session, even though it can be programmed to have all session variables erased and scheme settings reloaded upon logout to effectively simulate a new session.
|