0

I am trying to understand, how exactly the session management mechanism in a stateless web application works. Currently I am using Play Framework but I think the mechanism should be the same for all of the stateless web frameworks

this is from the documentation of play framework: (link)

It’s important to understand that Session and Flash data are not stored by the server but are added to each subsequent HTTP request, using the cookie mechanism

and

Of course, cookie values are signed with a secret key so the client can’t modify the cookie data (or it will be invalidated).

Now my question is, if the server does not save anything about a session id, how does it authenticate a session coming from a client?!

I did a lot of searching, but I couldn't find out, how the session management on the server side really works.

behzad
  • 965
  • 11
  • 24

1 Answers1

2

Now my question is, if the server does not save anything about a session id, how does it authenticate a session coming from a client?

What play does is it signs your session data through a key say KEY(Its the application.secret that you set in application.conf) and produce a alphanumeric data. Then it attaches both data and encrypted data to cookie and sends it back

ENCRYPTED DATA= 5d9857e8a41f94ecb2e4e957cd3ab4f263cfbdea

DATA = userEmail=sil@st.com&userName=silentprogrammer

If you Inspect the cookie(Right click on browser->Inspect element->Application->Cookie->Your url) in the browser of your running application you can see something like

"5d9857e8a41f94ecb2e4e957cd3ab4f263cfbdea-userEmail=sil@st.com&userName=silentprogrammer"

For each request it gets the data part(userEmail=sil@st.com&userName=silentprogrammer) signs the data again from the KEY and checks it to the alphanumeric data coming from request i.e. 5d9857e8a41f94ecb2e4e957cd3ab4f263cfbdea if the both are equal(if data and encryption key is same) the session is confirmed otherwise session expire. You can confirm this by changing the data part from cookie in browser and sending the request again the session will not exist.

This is what I have observed

singhakash
  • 7,891
  • 6
  • 31
  • 65