Lecture 24 described how cookies are used to identify a user so that the correct session object can be used for that user. Let's take a closer look at that now.

1. First, open a private window in the browser. Private windows start with no cookies, so this is effectively the same as having a different user using the system.

2. Add a couple of students with different details to what you have used previously via the private window.

3. Notice that the students that the non-private user can see are not the same students that the private user can see --- as mentioned, the private user starts with no cookies, so a new session token cookie will be created for them. This means the private user has a different session to the non-private user.

4. Click the 'View All Students' link to view the students for the non-private user.

5. Switch to the tcpflow window and find the most recent GET request. You should see that the header section has a cookie header which has a JSESSIONID cookie. This is the session token.

6. Do the same for the private user. You should see that the private user has a different session token. It is this token that the server uses to identify which user is sending the request.