I was revising the concept of Session Objects in JSP & ASP.Net. I was confused, 'when an actual Session Object is created?' Until recently I thought it was created when a user logs into his account, But now I read in the books that its implicitly created when the user visits any page on your site.
So when is it actually created? And are JSP sessions different from Website User Account sessions?
If the latter is correct, Is a second new Session created when a user actually logs into his account, and the previous session destroyed? eg: A shopping site may allow a user to select many items & 'Add to My Cart'. What happens to this data after he logs in. Is a new session created internally after destroying the initial one?
If this seems confusing, then you can just specify how Session is typically implemented in real-world systems (as I'm a student)? When is the session typically started? What data is stored in it? What is the typical timeout you set and why?
My research: JSP sessions are abstract concepts and User account sessions are implementation specific. Both are different
A session is typically implemented by
Each time a request comes in from this browser, it contains the cookie, and the container can thus retrieved the appropriate session from its internal map of sessions.
So yes, a session can exist before a user is authenticated, or even without authentication at all. And when a user is authenticated, he keeps the same session. The only difference is that you typically add the user ID in the session, in order to associate the user with the session.
You could thus, for example, let aninymous users shopping and add items to their cart in the session, and only ask them to authenticate once they need to pay (to retrieve their stored account). Or you could let them add items to their cart, and never authenticate them at all.