HTTP sessions - way of working

The basic premise of sessions is that only a session ID is stored on the client. On the server, that ID is associated with other "real world" information such as a user name, shopping cart etc. (This is a difference compared to using "raw" cookies to store information such as a user name on the client.) HTTP sessions typically operate is as follows:

• when a client first requests a page where we need to start a session (e.g. the "login" page), our server allocates a random session ID;
• that session ID is then communicated back to the client;
• whenever the client subsequently requests a page from our server (or relevant path from our server), it sends back the same session ID;
• on the server, we can associate information with that session ID;
• on the server, we can eventually decide that the session has "expired", and/or provide the user with a means to manually