Application vs. Session Layer of OSI Model

Question

I'm unsure if SO is the best place for this question, but here goes:

Are login & logout procedures part of the Session layer or the Application Layer of the OSI model?

Wikipedia says:

The Session Layer provides the mechanism for opening, closing and managing a session between end-user application processes, i.e. a semi-permanent dialogue. Communication sessions consist of requests and responses that occur between applications.

I'm not clear about whether a session encompasses the complete login/logout process (for eg., when I access my email account).

As far as I managed to grok the meaning of these two layers in the context of my question, I believe the application layer is responsible for managing the authentication & authorization that forms part of login procedures.

Please confirm my suspicions or repudiate with appropriate reasons.

Answer 1

Yes, I believe you are correct. That is, in the OSI model, I agree that the concept of "login/logout" could be considered part of the session layer. It certainly doesn't seem to fall into presentation, and application is far too high-level. Application would be concerned with managing the login/logout procedures (such as prompting the user for the login, saving credentials/cookies, etc.) And it certainly doesn't fall into L4; a TCP connection is an L4 concept, and a login/logout "session" can span multiple TCP sessions.

For what it's worth, those of us who have worked on networking devices (unless you're working on an application-aware proxy server/WAN optimizer or similar) tend to only think in terms of layers 1-4. (maybe part of L5 if you are working on TCP) The rest of the OSI layers tend to blend together, which is why the TCP/IP model collapses them into one. Those layers are more in the domain of application developers than network engineers.

Answer 2

The OSI model is a theoretical reference model (aka not the real thing)

When comparing the TCP/IP stack against the OSI model, you will see that the OSI Session layer is cut in half, half goes to the TCP and the other half gos to the application.

Conclusion for the OSI model login is part of the session layer, but for TCP/IP, login goes to the application layer.

See wikipedia on the differences between OSI and TCP/IP.

Answer 3

The semantic meaning of what is meant by the term logon and logoff could determine the layers involved.

It is possible to take 'logon' to mean 'connect' without including authentication or encryption. Literally - 'logon', I connected... 'logoff', I disconnected.

So while authentication happens inside the application layer (e.g. HTTP name and password) and then the presentation layer takes the name and password and encrypts them to keep them secret, the session layer is where the first literal logon - a.k.a. connection - (and before authentication takes place) happens.

So 'logon' in this example means 'connect' and should not be confused with "website login" or "windows logon", for which these latter two would involve authentication (at application layer) and - sensibly - encryption (at the presentation layer).

However, to take a real life example, TLS incorporates technologies that would be expected from presentation and application layers and uses them to fashion an encrypted connection that would normally exist at the session layer. It is a pseudo Session layer protocol. As such, I would use TLS as an example of how the OSI model is a theorectical guide and frequently cannot be applied to real world scenarios.