Session ID

From Seobility Wiki
Jump to: navigation, search


A session ID is a unique number a server assigns to requesting clients. ID stands for identifier and is used to identify and track user activity. This unique ID can be a number code, numerical code, or alphanumeric code. In computer science, a session is a temporary connection between server and client.

The short version SID (session ID) is also commonly used, for example in the context of web servers.

In the field of search engine optimization (SEO), session IDs are a relevant topic as under certain circumstances they can cause problems with duplicate content.

Methods of transmitting session IDs

Session ID
Figure: Session ID - Author: Seobility - License: CC BY-SA 4.0


If a user visits a website such as an online store, the store server generates an individual session ID assigned to exactly that visitor and that session. This session ID is stored locally on the visitor’s computer within a cookie (also called “session cookie”). If he sends a new request to the server during the session, the cookie with the assigned ID is transmitted along with the request so that the server can assign the communication to the corresponding user.

If that visitor leaves the shopping cart in order to look at other products in the store or even to close the store, the cookie ensures that the session won’t get lost. This way, the shopping cart can be restored as soon as the user returns to the website.

The products in the shopping cart are assigned to the session ID and stored in the session cookie. Each request to the server and each response to the user has to be accompanied by exactly this session ID. Otherwise, a new ID is assigned with the next client request, and the old session is lost.

URL parameter

If the user disabled the storage of cookies in advance, for example by using the function "deactivate cookies", the session ID can be transferred from the server to the browser as a parameter attachment to the URL of the store page. This parameter allows a server to recognize and create sessions, which means that information such as shopping carts or similar can be retrieved again as they are linked to the session.

Example of a URL with session ID attached as a parameter:

The web programming language PHP is able to identify and assign this link. Thus, the shopping cart connected to this session can be retrieved again.

Hidden Form Field

Another form of tracking user behavior is the Hidden Form Field, allowing data to be sent to the server that cannot be seen or changed by the user. For example, a hidden form field can transmit information about which database entry is to be updated. This method can also be used for transmitting session IDs from browser to server.

Session ID and SEO

Using URL parameters to transmit session IDs can lead to duplicate content because Google can find and index the resulting URLs. If different users access the same product or category page, thus generating different parameter attachments of the URL, yet reaching identical content, there is a risk that Google will classify this content as duplicate content. This is important to keep in mind for SEO. However, Google does not actively rank the website in question lower - the relevance of the respective subpage is rather distributed among the numerous URLs with different session IDs. This in turn can have a negative effect on the website’s ranking on Google.

From an SEO perspective, transmitting session-IDs via URL parameters can thus be problematic and should be avoided. If this is not possible, the problem can be solved by using a canonical tag. This way, Google will be signaled that the URL without session ID is the original resource intended for indexing, while URLs with a session ID are not indexed.

Session IDs should not be seen as mandatory and should only be used if they are useful for the site visitor and/or site operator. This may go far beyond the scope of e-commerce.

Session cookie and GDPR

The General Data Protection Regulation (GDPR) has been in force in the EU since May 25, 2018. It does not explicitly regulate the use of session cookies. However, Article 6 of the GDPR states that prior consent to the use of cookies is not necessary if the cookie is required to protect legitimate interests of the person responsible or a third party. Session cookies can also be classified as such. Therefore, the use of session cookies should be specified in the privacy policy.


The use of session IDs is considered relatively safe. However, by manipulating stored session IDs in the browser it is theoretically possible to get the session ID of a third user. This is extremely unlikely if the server that generates individual session IDs draws from a sufficiently large spectrum of codes that are neither sequential nor easy to guess. Apart from this, online shops in the EU often use SSL encryption, which provides an additional level of security. A match would therefore be highly unlikely.

The situation is different when malicious code is intentionally implemented. If an attacker inserts such code into a webshop system via Cross-Site-Scripting (XSS) and a user executes the code via the website, the ID could be transmitted and the entire session could be hijacked, i.e. redirected. The attacker would thus have access to certain customer data and could in turn make an order on behalf of the user.

Related links

Similar articles