I'm trying to understand session and want to understand the following:
What is the difference between a http session and a SSL session?
Under what circumstances are they created?
A HTTP session exists if the same client and server have a conversation spanning multiple requests and responses. During this conversation they maintain a state, like that a specific user is logged in or similar. This state is usually maintained with the help of a cookie which gets exchanged all the time.
A SSL/TLS session is similar, only that it is not at the HTTP level and the state does not reflect a logged in user. Instead the state of a TLS session includes the encryption key and the cipher used etc. This state is reflected in a similar way as in HTTP: where you have the cookie in HTTP you have in TLS the session token or the session id.
In HTTP a session is often used to keep the authorized state, i.e. that the user logs in once and can do multiple actions while staying logged in. Thus it is used to reduce the overhead of logging in again and again. In SSL/TLS the session is created for a similar reason: to reduce the overhead of the TLS handshake. If no TLS session exists a full handshake will be done. In this handshake the server will proof the identity by sending the certificate and ciphers and key will be exchanged. If instead a session gets reused a less expensive shorter handshake will be done because client and server just continue with the same key and cipher and the proof of identity is still valid.
SSL/TLS session and HTTP session are independent, i.e. there can be overlap or there can be no overlap but it does not matter at all.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With