network-programmingauthenticationosi

Application vs. Session Layer of OSI Model


I'm unsure if SO is the best place for this question, but here goes:

Are login & logout procedures part of the Session layer or the Application Layer of the OSI model?

Wikipedia says:

The Session Layer provides the mechanism for opening, closing and managing a session between end-user application processes, i.e. a semi-permanent dialogue. Communication sessions consist of requests and responses that occur between applications.

I'm not clear about whether a session encompasses the complete login/logout process (for eg., when I access my email account).

As far as I managed to grok the meaning of these two layers in the context of my question, I believe the application layer is responsible for managing the authentication & authorization that forms part of login procedures.

Please confirm my suspicions or repudiate with appropriate reasons.


Solution

  • Yes, I believe you are correct. That is, in the OSI model, I agree that the concept of "login/logout" could be considered part of the session layer. It certainly doesn't seem to fall into presentation, and application is far too high-level. Application would be concerned with managing the login/logout procedures (such as prompting the user for the login, saving credentials/cookies, etc.) And it certainly doesn't fall into L4; a TCP connection is an L4 concept, and a login/logout "session" can span multiple TCP sessions.

    For what it's worth, those of us who have worked on networking devices (unless you're working on an application-aware proxy server/WAN optimizer or similar) tend to only think in terms of layers 1-4. (maybe part of L5 if you are working on TCP) The rest of the OSI layers tend to blend together, which is why the TCP/IP model collapses them into one. Those layers are more in the domain of application developers than network engineers.