This web page http://www.w3schools.com/ASP/prop_sessionid.asp states that a session ID is generated on the ServerSide.
If this is the case, then how does a server know it's still the same client on the 2nd request response cycle?
Surely the SessionId would be generated on the ClientSide so that the client would be sure of passing the same value to the server?
The SessionID is generated Server Side, but is stored on the Client within a Cookie. Then everytime the client makes a request to the server the SessionID is used to authenticate the existing session for the client.
The session ID is normally generated on the server. It's then sent to the client, either as a cookie in the HTTP headers, or by including it in the HTML, i.e. the links become href=my.html?sessionid=1234.
The client's next request will then contain the session Id, either in the cookie or the GET part of the request.
The server will generate a session id if none exists. But once it has been generated, the client can pass that id back to the server. If the client modifies that id, you would likely get an error from the server, and a new id generated.
The ID is generated on the server. The client then stores this in a session cookie that the server picks up on subsequent request.
If the server is running in cookie-less mode, then the session key becomes part of the URL and the server parses it from there.
ADDED: ...and if the server is expecting to use a session cookie but the client has cookies disabled, then from the perspective of the server, all requests are new sessions as it cannot tell that this is the same user.
来源:https://stackoverflow.com/questions/233867/is-a-session-id-generated-on-the-server-side-or-client-side