I understand that by HttpSession (Servlet API document)
The servlet container uses this interface to create a session between an HTTP client and an HTTP server.
I want to know what makes a distinct HTTP client?
I hope the answer can cover the following scenario:
The fundamental thing to understand here is that HTTP is a stateless protocol, that is, a connection is made from the client to the server, the client issues a request, and the server gives a response, after that the connection is terminated and "forgotten". Nothing from a request is carried over to other request, by virtue of HTTP itself.
A session is a means of bypassing that fundamental limitation of HTTP, a way of correlating different request to form a sort of "conversation" involving many requests. By using some sort of session the client tells the server "hey, I was the guy that talked you before" and the server remembering that "yeah, I remember you, let's continue where we left". Seems trivial, but HTTP don't have a natural way of doing so.
For example, a very common way of implementing sessions is to use cookies. On first connection, the server sends the client a cookie, then the client sends the same cookie on all subsequent requests so the server knows who is talking. A login token, data in local storage or even hidden HTML fields are possible ways of establishing a session too. Such sessions is what allow the web to have logins pages and coming back to the logged in state. That's also why deleting cookies kicks out of websites, the server no longer knows who you are.
So, now going to answer the concrete questions:
I want to know what makes a distinct HTTP client?
The only indication of different clients is the "session". The server only knows that to tell them appart or assume they're the same. If the session identifier is the same (for example, a cookie) the server assumes it's a returning client. If no id is provided the server supposes it's a new client.
- Does opening a new tab in the same browser make a different client?
More often than not, no, it's the same one. Different tabs share cookies and local storage, hence the server will see the same identifiers and link the new tab to the first one. In fact, servers know nothing about tabs (or even browsers) and just look at the request sent.
Exception: private tabs purposely isolate cookies from the normal ones and won't send them. That's why you need to login again in a private tab. Entering there will create a second, different session identifier and the server will treat them as separate.
Another exception: some browsers, natively or though plugins, also isolate cookies/local storage from some tabs, precisely to achieve multiple logins.
- Does opening a different browser make a different client?
Yes. Browsers don't share their internal state and the server won't get the session id of one browser from the other. Unless you manually copy cookies from one to the other.
- Is the rule for a server to define a distinct HTTP client universal across all types of servers and client machines and OS?
The only "universal" thing is that the only basis for identifing clients is the concept of session, but the concrete implementation of them can be VERY different. Session cookies are very common, often provided by application frameworks, but far from universal. Since HTTP in itself don't define state, it's up to each application to define it.