What is the scope of an HTTP session?

Question

What exactly is the scope of an HTTP session?

I've been googling this but can't seem to get a straight answer- A session is supposed to get cleared out "when a user closes their browser", but that's unclear to me- Does that mean closing the browser window, or quitting the browser application? Does a user with two browser windows open at the same time maintain two different sessions? And are browser tabs always part if the same session?

Answer 1

This will depend on how you are tracking sessions in your application.

By default they are tracked by HttpOnly cookies. This means that if the user closes the current tab, he doesn't loose the session. If he closes the browser though he looses the session.

If you use a cookieless mode to track sessions (cookieless="true"), ASP.NET will append a custom token to all urls meaning that a user can be logged with 2 different sessions on 2 different tabs of the same browser instance.

Answer 2

The answer to all of your questions is "it depends".

Multiple browser windows can be multiple sessions or they can be the same session. It depends on the browser behavior and how you opened the windows.

In IE, there is a menu option for 'New Window' and one for 'New Session'. The 'New Window' option will keep the same session, the 'New Session' option will open a new window with a different session. You can also get a new session in IE by holding the shift key as you start the browser.

If you have to be sure all sessions are ended, close all browser windows.

Answer 3

Session cookies are usually deleted when the whole browser exits. Since multiple tabs/windows share the same cookies, those tabs/windows will use the same session.

However, an application could also pass the session identifier through the URL. In this case every tab/window would have its own session as long as you don't open it through a link with a valid session id.