1.11.1.2 Session IDs

There are two main ways in which applications can recognise a user, both of which involve identifying the connection using a short string known as a session ID.

In the first method every URL on a web page if modified with the session ID on the end so that whenever a user clicks on a link the application is aware of which user is requesting a page. One drawback of this approach is that the session ID can easily be read as it will appear in the address bar of your browser so that a malicious onlooker could read the session ID and type the URL into another computer. The application would think that both users were the same person because both would be using the same session ID.

The second method involves cookies. A cookie is a simple text file stored by your browser which contains key:value pairs of text. When you request a web page, if your browser has a cookie registered for that domain it sends the information to the web server before retrieving the page. The web browser can then react to the information in the cookie before returning the page. If a session ID is stored in a cookie then the application can read the session ID and therefore keep track of your connection history. Using cookies in this way is more secure that appending a session ID to a URL because only your web browser knows the cookie information and it cannot be read from your address bar.