I'll describe how session works in Java with servlets. This could help you in making your implementation work. First off, I have to mention that session and authentication are two separate functions, although the latter depends on the former.
A session helps the server understand consecutive requests coming from the same browser without a big idle time in between. Take a look at the below example:
- A user opened a browser A, visited your site
- Kept clicking around various links using multiple tabs in browser A
- Left the browser idle for 45 minutes
- Continued clicking on the pages that he left open
- Opened browser B, visited your site
- Closed the tab for your website in browser B
- Opened another new tab in browser B and clicked on a bookmark to
visit your site
Here is the impact on the server-side session for the above steps of the user:
- New session created... let us say JSESSIONID 10203940595940
- Same session applies for all requests from all tabs
- Session expired on the server, and probably some memory was freed on server
- Since Java is not able to locate a session matching JSESSIONID 10203940595940, it creates a new session and asks client to remember new JSESSIONID w349374598457
- Requests from new browser are treated as new sessions because the JSESSIONID contract is between a single browser and the server. So, server assigns a new JSESSIONID like 956879874358734
- JSESSIONID hangs around in the browser till browser is exited. Closing a tab doesnt clear the JSESSIONID
- JSESSIONID is still used by browser, and if not much time elapsed, server would still be hanging on to that session. So, the sesison will continue.
Session use on the server-side:
- A session is just a HashMap which maps JSESSIONIDs with another a
bunch of attributes.
- There is a thread monitoring elapsed time for the sessions, and
removing JSESSIONIDs and the mapped attributes from memory once a
session expires.
- Usually, there is some provision for applications to get an event
alert just when a session becomes ready for expiry.
Implementation details:
- User's browser A sends a request to server. Server checks if there is
a Cookie by name JSESSIONID. If none is found, one is created on the
server. The server makes a note of the new JSESSIONID, the created
time, and the last request time which is the same as created time in
this case. In the HTTP response, the server attaches the new
JSESSIONID as a cookie.
- Browsers are designed to keep attaching cookies for subsequent visits
to the same site. So, for all subsequent visits to the site, the
browser keeps attaching the JSESSIONID cookie to the HTTP request
- So, this time the server sees the JSESSIONID and is able to map the
request to the existing session, in case the session has not yet
expired. In case the session had already expired, the server would
create a new session and attach back the new JSESSIONID as a cookie
in HTTP response.
Authentication mechanisms just make use of the above session handling to detect "new sessions" and divert them to the login page. Also, existing sessions could be used to store attributes such as "auth-status" - "pass" or "fail".