sessionID 已经存储在 cookie 中,无需管理它。因为 HTTP 协议是无状态的,所以保持状态的唯一方法是通过 cookie。当您设置会话值时会发生什么,服务器将查找与该 cookie id(会话 ID)关联的项目的字典。
无状态的意思是在请求之间,HTTP 不知道您是否还活着或关闭了浏览器。因此,对于每个请求,浏览器都会将所有 cookie 值附加到域上的请求中。当他们访问您的站点时,SessionId 会自动存储在 cookie 中。服务器然后使用该值来查找您在用户会话中设置的任何内容。
根据您使用的编程语言和/或服务器,会话的处理方式可能有所不同,但这通常是从程序员那里抽象出来的。
Now with respect to sessions, there are a number of different things that make them insecure. For example if an attacker were able to get their hands on your session cookie value they could replay that cookie and take over your session. So sessions aren't a terribly secure way of storing user information. Instead what most people do is create an encrypted cookie value with the users details, the cookie could be a "session cookie" meaning as soon as the user closes their browser window the cookie is thrown away from the browser. The encrypted cookie contains user information and role information as well as some identifier (usually the clients ip address) to verify that the user who is submitting the request is the same user the cookie was issued to. In most programming languages there are tools that help in abstracting that away as well (such as the ASP.NET membership provider model).
Check out some details on the HTTP protocol and HTTP cookies on Wikipedia first
and check out the membership provider model on ASP.NET, it's a really good tool for helping to secure your site.
http://msdn.microsoft.com/en-us/library/sx3h274z(v=vs.100).aspx