Explain sessions Like I'm Five

I never knew how login sessions persist.
I have always used express sessions but I think most of them work the same way.
https://github.com/expressjs/session

Comments

[Casey Brooks]

You're quite the adventurous little 5-year-old, and your favorite thing in the entire world is going to the water park, which happens to be right across the street! You'd go there every day if you could, but your mom just doesn't have that kind of time to take you every day.

Anyway, so one hot July day, your mom does have a free day, and she takes you to the water park. When she bought the tickets, the nice lady at the ticket counter gave you a shiny green wristband. This way anyone working at the park knows you've paid and that you're supposed to be there.

After you've been at the water park for a few hours, racing down the slides, splashing around the water castle, and floating around the lazy river, your mom says it's time to go. You are not happy about that, and you're not leaving without a fight, but in the end your mom won (moms always win) and you go home. But she reassures you that you're just going home to get some lunch (you were starting to get hungry, but you're just having so much fun that you didn't want to leave!), and to keep the wristband on so they will let you back in the park after lunch.

After a few more hours at the water park, and it's starting to get late. This time, you're going home for good. You would fight it this time too, except you're exhausted now from a full day in the sun and the water. You get some dinner, go to bed, and wake up refreshed, ready for another day of fun at the waterpark!

Then suddenly, at the breakfast table with your bowl of cereal, everything comes crashing down. Your mom said she was going to run some errands, and your older brother was going to babysit you. It's like she never even planned on going back today! You are just about to get really upset, when you look down and see the shiny green wristband still on your wrist, and a plan starts to form in your mind. A devilish plan, absolutely guaranteed to give you another day of fun, with or without your mom.

It's all about the wristband. Yesterday, we went home for a bit, and the wristband let us back in, your naughty little 5-year-old mind schemes. I'll just do the same thing today, and walk right in the gates, and since I have the wristband, everyone will assume I'm supposed to be there.

Your mom heads out, and you try really hard to be good, so good that your older brother completely forgets about you as he starts his playing video games. It's at that moment that you slip out the front door, run across the street (of course, looking both ways first), and walk right toward the gate, trying not to look anyone in the eye, because of course, you know you're not actually supposed to be there today.

You're getting closer. 30 feet away. 20 feet. 10 feet. You're right at the gate, you've almost made it!

But then disaster strikes! The guard steps in front of you and says you're not allowed in.

You don't understand. You have the wristband! It let you get in yesterday after lunch! You're so confused, until you look around and see that everyone has blue wristbands today, not green. Apparently, they give a different colored wristband out each day to ensure no one comes in two days in a row without paying. It's at this point that your brother realized you're missing, and you see him run out the front door, calling your name.

Defeated, you shout back and he escorts you home, promising he won't tell mom what you did as long as you don't tattle on him ignoring you either. When your mom comes home, you just tell her what a fun day you had at home, and she's none the wiser. In fact, she's so proud of how well-behaved you were all day that she says the sweetest phrase you've ever heard in your entire life:

"How about we go to the water park again tomorrow?"

[Casey Brooks]

In this fun little example, your access to the park is considered the session, while the green wristband in your session token.

The session itself is how you access the service you are connecting with. As long as you have a valid session, you have access to the resources you want. The concept of a "session" is little more than a server saying "yup, you're supposed to be here, carry on."

The session token is how the server knows your session is valid. It is stored as a cookie on the user's computer, not somewhere within the server. In the example, it would take way too much effort for every employee to know the names and faces of everyone at the part so as to distinguish between one person able to be there and another not. Instead, the server gives you a cookie with your session token in it, so that the next time you go to the server you just present your cookie along with your request. The server looks at the cookie you provide and based on what's in the cookie, decides whether you can access the resource you requested.

The fact that the wristbands change color every day is considered the session timeout. It is dangerous to let a session be invalid indefinitely, and you don't want someone else using your wristband after you've finished with it. So rather than the server keeping track of every session token it gave out and having to remember all that, it just includes the timestamp of when it was created. When inspecting the cookie, if the current time is later than some predetermined time after that cookie was created then it rejects the request, just like the guard knowing you can get in the park because your wristband was green when that day required blue.

In the end, the big takeaway is that the server sends you a token when you log in, and it is your job to hold on to that. The server has rules in place for validating the cookie you provide them, but it is your job, not the server's, to remember who you are. This is how it is possible to be logged into a website as two different accounts if you open one in a normal browser window, and another incognito. Your browser keeps all cookies received in an incognito window separate from those in a normal window, and after the tab is closed throws all of them away. This distinction is important to know, because an incognito session definitely doesn't prevent a server from giving you a cookie, and it doesn't immediately throw it away, otherwise you couldn't ever get to any pages behind a login screen. The incognito window does keep session tokens around, it just keeps them separate from your normal session token, and it throws them away after you've closed your incognito window.

[Scott Hannen]

I love the illustration. Would it be slightly more accurate to say that instead of the required wristband changing color from day to day, that it has a barcode on it that gets scanned when you try to enter? Because everyone entering the park doesn't have the same wristband. They're not comparing your wristband to one expected wristband that every person should have. They're making sure that it matches the record of a paid guest.

[Casey Brooks]

Yeah, that would be a better metaphor. Mostly, I was basing my analogy off the last water park I had actually been to, which just uses colored wristbands, and the fact that a five-year-old can understand different colors much better than barcodes and records.

[Craig Kahle]

A session is essentially an instance of a user/clients interaction with a server.

The server can persist this unique "locker" of information for each client in a number of ways; in memory, files in a tmp/ directory, in a database etc...

Then, a cookie is stored within a client/your browser that has the servers session_id written to it automatically. You would then store a user ID in this cookie upon successful login for example.

From there, you can look up the user by ID once they close their browser and re-visit, without the user having to re-auth.

Let me know if I'm missing anything. This is a great article that I stole the "locker" term from: machinesaredigging.com/2013/10/29/...