labs / tiddlers / content / labs / lab04 / _Labs_04_Examining the

Lecture 24 described how cookies are used to identify a user so that the correct session object can be used for that user. Let's take a closer look at that now.

  1. First, open a private window in the browser. Private windows start with no cookies, so this is effectively the same as having a different user using the system.

  2. Add a couple of students with different details to what you have used previously via the private window.

  3. Notice that the students that the non-private user can see are not the same students that the private user can see --- as mentioned, the private user starts with no cookies, so a new session token cookie will be created for them. This means the private user has a different session to the non-private user.

  4. Click the 'View All Students' link to view the students for the non-private user.

  5. Switch to the tcpflow window and find the most recent GET request. You should see that the header section has a cookie header which has a JSESSIONID cookie. This is the session token.

  6. Do the same for the private user. You should see that the private user has a different session token. It is this token that the server uses to identify which user is sending the request.