AASHUTOSH POUDEL

Computer Networks

Unit 6: Session Layer (Layer 5)

Establishing, managing, and terminating sessions between applications — plus how chat apps and load balancers rely on session state.

What is the session layer?

The Session Layer is responsible for establishing, maintaining, and terminating sessions between two communicating applications. A session is a continuous exchange of information that may consist of many separate requests and responses — for example, a video call, a database connection, or a logged-in web session.

Unit of data: data

Responsibilities

  • Session establishment — sets up a conversation between two endpoints.
  • Session maintenance — keeps the session alive with periodic keep-alives.
  • Synchronisation — inserts checkpoints so a session can resume after a failure (think of resuming a large file upload).
  • Dialog control — decides who can transmit and when (half-duplex / full-duplex).
  • Session termination — gracefully closes the conversation.

Protocols at or around this layer

In modern stacks, “session” features are often built into the application or transport layer, but classical examples include:

  • NetBIOS — session services on Windows networks.
  • RPC (Remote Procedure Call) — function calls across machines.
  • PPTP, L2TP — VPN session protocols.
  • NFS (Network File System) — session-based file sharing.
  • SIP — session initiation for VoIP calls (Zoom, Skype).

Example — a logged-in shopping session

When you log into Amazon:

  1. You authenticate with your email and password.
  2. The server creates a session and gives your browser a session ID (usually stored in a cookie).
  3. Every subsequent request — adding to cart, browsing, checkout — carries that session ID so the server knows it is still you.
  4. After 30 minutes of inactivity (or when you log out), the session is terminated.

Although this happens at the application layer in practice, conceptually it is exactly what the Session Layer is meant to manage.

Real-world scenarios

WhatsApp and Telegram persistent connections

Messaging apps like WhatsApp, Telegram, and Signal keep a long-lived session open between your phone and their servers so that new messages can be pushed instantly. The session has to survive temporary network drops (subway tunnels, elevator, Wi-Fi → 4G handover) and resume seamlessly. WhatsApp internally uses XMPP-like session management on top of TCP/TLS.

Zoom and Google Meet video calls

A Zoom meeting is essentially one big session: the audio, video, screen share, and chat all belong to the same logical session. Behind the scenes, SIP and Zoom’s own session protocols handle session setup, mid-call participant changes, and graceful disconnection.

Sticky sessions in load balancers

When a user logs into a web app, the AWS Application Load Balancer, NGINX, or HAProxy can be configured to stick that user to the same backend server for the duration of their session. This is critical for apps that store session state in memory on a single server (older PHP, Java apps).

Database connection pools

Backends at companies like Stripe, GitHub, and Shopify maintain database connection pools — a fixed number of persistent sessions to the database that are reused across many requests. This avoids the cost of repeatedly opening and closing connections under high load.

SSH sessions

When a DevOps engineer runs ssh user@server, the SSH client establishes an encrypted session that may stay open for hours. Inside that one session, many commands and even file transfers can occur.

Common session-layer problems

  • Session timeout being too short, logging users out unexpectedly.
  • Lost session state when a server crashes (mitigated by storing sessions in Redis or similar distributed stores).
  • Sticky-session imbalance — too much traffic on one backend.
  • Replay attacks — old session tokens being reused (mitigated by short expirations and rotation).