In this fun little example, your access to the park is considered the session, while the green wristband in your session token.
The session itself is how you access the service you are connecting with. As long as you have a valid session, you have access to the resources you want. The concept of a "session" is little more than a server saying "yup, you're supposed to be here, carry on."
The session token is how the server knows your session is valid. It is stored as a cookie on the user's computer, not somewhere within the server. In the example, it would take way too much effort for every employee to know the names and faces of everyone at the part so as to distinguish between one person able to be there and another not. Instead, the server gives you a cookie with your session token in it, so that the next time you go to the server you just present your cookie along with your request. The server looks at the cookie you provide and based on what's in the cookie, decides whether you can access the resource you requested.
The fact that the wristbands change color every day is considered the session timeout. It is dangerous to let a session be invalid indefinitely, and you don't want someone else using your wristband after you've finished with it. So rather than the server keeping track of every session token it gave out and having to remember all that, it just includes the timestamp of when it was created. When inspecting the cookie, if the current time is later than some predetermined time after that cookie was created then it rejects the request, just like the guard knowing you can get in the park because your wristband was green when that day required blue.
In the end, the big takeaway is that the server sends you a token when you log in, and it is your job to hold on to that. The server has rules in place for validating the cookie you provide them, but it is your job, not the server's, to remember who you are. This is how it is possible to be logged into a website as two different accounts if you open one in a normal browser window, and another incognito. Your browser keeps all cookies received in an incognito window separate from those in a normal window, and after the tab is closed throws all of them away. This distinction is important to know, because an incognito session definitely doesn't prevent a server from giving you a cookie, and it doesn't immediately throw it away, otherwise you couldn't ever get to any pages behind a login screen. The incognito window does keep session tokens around, it just keeps them separate from your normal session token, and it throws them away after you've closed your incognito window.
I love the illustration. Would it be slightly more accurate to say that instead of the required wristband changing color from day to day, that it has a barcode on it that gets scanned when you try to enter? Because everyone entering the park doesn't have the same wristband. They're not comparing your wristband to one expected wristband that every person should have. They're making sure that it matches the record of a paid guest.
Yeah, that would be a better metaphor. Mostly, I was basing my analogy off the last water park I had actually been to, which just uses colored wristbands, and the fact that a five-year-old can understand different colors much better than barcodes and records.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
In this fun little example, your access to the park is considered the session, while the green wristband in your session token.
The session itself is how you access the service you are connecting with. As long as you have a valid session, you have access to the resources you want. The concept of a "session" is little more than a server saying "yup, you're supposed to be here, carry on."
The session token is how the server knows your session is valid. It is stored as a cookie on the user's computer, not somewhere within the server. In the example, it would take way too much effort for every employee to know the names and faces of everyone at the part so as to distinguish between one person able to be there and another not. Instead, the server gives you a cookie with your session token in it, so that the next time you go to the server you just present your cookie along with your request. The server looks at the cookie you provide and based on what's in the cookie, decides whether you can access the resource you requested.
The fact that the wristbands change color every day is considered the session timeout. It is dangerous to let a session be invalid indefinitely, and you don't want someone else using your wristband after you've finished with it. So rather than the server keeping track of every session token it gave out and having to remember all that, it just includes the timestamp of when it was created. When inspecting the cookie, if the current time is later than some predetermined time after that cookie was created then it rejects the request, just like the guard knowing you can get in the park because your wristband was green when that day required blue.
In the end, the big takeaway is that the server sends you a token when you log in, and it is your job to hold on to that. The server has rules in place for validating the cookie you provide them, but it is your job, not the server's, to remember who you are. This is how it is possible to be logged into a website as two different accounts if you open one in a normal browser window, and another incognito. Your browser keeps all cookies received in an incognito window separate from those in a normal window, and after the tab is closed throws all of them away. This distinction is important to know, because an incognito session definitely doesn't prevent a server from giving you a cookie, and it doesn't immediately throw it away, otherwise you couldn't ever get to any pages behind a login screen. The incognito window does keep session tokens around, it just keeps them separate from your normal session token, and it throws them away after you've closed your incognito window.
I love the illustration. Would it be slightly more accurate to say that instead of the required wristband changing color from day to day, that it has a barcode on it that gets scanned when you try to enter? Because everyone entering the park doesn't have the same wristband. They're not comparing your wristband to one expected wristband that every person should have. They're making sure that it matches the record of a paid guest.
Yeah, that would be a better metaphor. Mostly, I was basing my analogy off the last water park I had actually been to, which just uses colored wristbands, and the fact that a five-year-old can understand different colors much better than barcodes and records.