Does an HTTP Session always require a Cookie?

I'm guessing Yes, but I'm not sure.

Both Authenticated Sessions and Anonymous Sessions would r开发者_如何学Pythoneference the stored sessions via the cookie.

It seems that sessions require some way of referencing for the stored session data.

This reference could be stored in a cookie OR added as a parameter in the URL.

I know this is taking you too literally, but it seemed appropriate to point out that HTTP is stateless and therefore does not have sessions. In order to maintain state, either the browser or the server have to persist the state information between requests. Traditionally, the server maintains the state, and by convention this is called a session, but it has nothing to do with HTTP as it is a workaround. Also, a session usually has a very specific connotation to it - namely that it is an individual visit to the site that will expire when it is no longer being used (some period of inactivity). It will also be different for the same user using different computers or browsers.

In order to achieve a server session, the server will generally set aside some information in memory or database to keep track of state and use a piece of identifying information to associate http requests with that state. This is usually a token. The browser needs to include information identifying the session with each http request. It doesn't matter how this happens, as long as the server and browser agree. It is most often a cookie, or url parameter as fallback, but as long as you set up the code right it could also be part of the url itself, part of a POST body, or even a non-standard http header.

The alternative that is becoming more and more popular is to maintain state in the browser and use purely ajax calls to the server. In this scenario, the server does not have to maintain any concept of session, and will simply return the data that is requested in a completely user-agnostic way. Some authentication may still be needed if the data is private, but a session token is not, and no state is kept on the server.

You can pass the session ID around as a query parameter (www.blah.com/index.php?SESSIONID=fADSF124323). But it has to be on every page. PHP has a option to enable this transparently. It is a huge mess. This is why cookies are preferred.

Not necessarily, some sites use a session ID value present in the URL that represents the session and this value gets appended to all links visited by the user.

We have to use it this way at work, since often mobile browsers don't accept cookies and this is the only way to remember a session.

Also there is HTTP-Authentication, not used often anymore today as the browser has to send username and password to the server unencrypted on every request. HTTP-Auth just puts username and password in the header sent by your browser.

you can pretty much uniquely identify people by their browser plugins, fonts, etc.

https://panopticlick.eff.org/

When you're using SSL/TLS, then you could at least theoretically use the SSL session id to reference some state on the server.