What exactly is the scope of an HTTP session?
I've been googling this but can't seem to get a straight answer- A session is supposed to get cleared out "when a user closes their browser", but that's unclear to me- Does that mean closing the browser window, or quitting the browser application? Does a user with two browser windows open at the same time maintain two different sessions? And are browser tabs always part if the same session?
Overview of HTTP Sessions A session is defined as a series of related browser requests that come from the same client during a certain time period. Session tracking ties together a series of browser requests—think of these requests as pages—that may have some meaning as a whole, such as a shopping cart application.
For example: suppose a user wants to know some information like total bill amount (shopping website) then the request is send to server, business logics are applied processing is done and then the response is shown back to user. Sessions are the entire conversation that occurs between a server and a client.
This will depend on how you are tracking sessions in your application.
By default they are tracked by HttpOnly cookies. This means that if the user closes the current tab, he doesn't loose the session. If he closes the browser though he looses the session.
If you use a cookieless mode to track sessions (cookieless="true"
), ASP.NET will append a custom token to all urls meaning that a user can be logged with 2 different sessions on 2 different tabs of the same browser instance.
The answer to all of your questions is "it depends".
Multiple browser windows can be multiple sessions or they can be the same session. It depends on the browser behavior and how you opened the windows.
In IE, there is a menu option for 'New Window' and one for 'New Session'. The 'New Window' option will keep the same session, the 'New Session' option will open a new window with a different session. You can also get a new session in IE by holding the shift key as you start the browser.
If you have to be sure all sessions are ended, close all browser windows.
Session cookies are usually deleted when the whole browser exits. Since multiple tabs/windows share the same cookies, those tabs/windows will use the same session.
However, an application could also pass the session identifier through the URL. In this case every tab/window would have its own session as long as you don't open it through a link with a valid session id.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With