When learning the OSI model, Layers 5 and 6 often feel theoretical compared to the practical application of Layers 3, 4, and 7. For a Software Developer building a modern application that communicates via REST APIs using JSON over HTTPS, how do the functions of Session management (L5) and data formatting/encryption (L6) manifest in real-world code or the network stack? Is the functionality of these layers now fully absorbed into the Application Layer (L7) protocols like TLS and HTTP?
3 answers
You're right, the functionality is largely absorbed, but it's still there! The Presentation Layer (L6) responsibilities like encryption/decryption and data syntax are handled by TLS/SSL, which operates below the HTTP application protocol but above the TCP transport layer—effectively occupying L6's original domain. JSON and XML data formatting/translation are also L6 tasks. The Session Layer (L5) responsibilities—establishing, managing, and terminating sessions—are handled by mechanisms like HTTP session tokens (cookies), JWTs, and the connection management features of the Transport Layer (TCP) itself, which keeps the connection open for continuous data exchange. While a developer may only code at L7 (the application logic), they rely entirely on the L5/L6 functions provided by the underlying operating system and browser/server stack.
If a Software Developer uses a standard framework for API development (like Express or Django), which layer is typically responsible for implementing the checkpointing or synchronization mechanism that the old Session Layer was known for? For example, in a long-running data upload, is it strictly handled by the Application Layer logic, or is there an underlying Transport Layer or Session Layer service that helps manage partial transfer recovery?
The Presentation Layer (L6) is where TLS/SSL encryption and decryption occurs, ensuring data confidentiality. The Session Layer (L5) functions are mostly integrated into the Application Layer (L7) session tokens for managing user state.
James is correct. When an API uses HTTPS, the process that handles the security handshakes and key exchange is a perfect example of the Presentation Layer's core function—preparing data for secure transfer, even if it's technically implemented as part of the Cloud Technology stack or server configuration.
Robert, in modern API development, especially with REST (which is stateless), robust checkpointing and transfer resumption for long-running processes are almost always implemented manually by the Application Layer (L7). This involves custom logic—like writing metadata to a database to track progress or using a custom protocol like gRPC—because the native Session Layer functionality is too generic for today's application-specific recovery needs. HTTP itself is designed for short, atomic requests.