How do sessions work?
If you find value in this story, please consider making a donation to the [HS]2 program. It prepares a group of first-generation and/or low-income students of color to succeed in college by empowering them with STEM-based skills, a family of driven peers, and a space to see the light and power in their own voices. Even $1 helps by demonstrating broad support to larger institutions considering donations.
Way back when I started using the internet, I used Hotmail.com for email. I had to type my username and password to access the authenticated dashboard for viewing my email. However, if I used that same browser window (this was before tabs) to visit Amazon.com and then returned to check my email for confirmation of my purchase, I’d have re-enter my username and password. Ugh. That was so irritating.
Why isn’t it still irritating?
These days, when you enter your username and password into a web site, the server on the other will verify they match and return a session token. This token sits inside the guts of your browser and has a life span. That life span could be forever so you’d never have to re-enter your username/password or it could be as short as 1 second so you’d have to re-enter every time you visited. Web sites can also not use sessions at all so have to log in every time you visit, but that has such a negative affect on user experience that no consumer-based web sites do that.
So who establishes the length that the token will work?
The engineers at the web site who developed the authentication system.
How do they decide the amount of time a token will work?
There is not set formula. Engineers must weigh the data they’re protecting against their users’ perceived willingness to tolerate logging in.
If I log into Gmail.com using Chrome, why do I have to re-authenticate on Safari?
The token is only valid inside the browser where you authenticated. Tokens don’t sit on your hard drive in way that all browsers can access them. Because you logged into Gmail using Chrome, the token resides inside the guts of that browser. When you open Safari, there are no Gmail.com tokens. You must submit your username and password to Gmail to obtain for the Safari browser. At that point, you’ll have a session token in your Safari browser that will last
How long does that Gmail session last?
For more information about how Gmail sessions work, visit Google’s Documentation on them.
