Software Development

What are the practical roles of the Session Layer (L5) and Presentation Layer (L6) in modern Software Development and API communication (REST/JSON)?

LI Asked by Lisa Goldberg · 10-01-2025
0 upvotes 13,552 views 0 comments
The question

When learning the OSI model, Layers 5 and 6 often feel theoretical compared to the practical application of Layers 3, 4, and 7. For a Software Developer building a modern application that communicates via REST APIs using JSON over HTTPS, how do the functions of Session management (L5) and data formatting/encryption (L6) manifest in real-world code or the network stack? Is the functionality of these layers now fully absorbed into the Application Layer (L7) protocols like TLS and HTTP?

3 answers

0
CH
Answered on 15-04-2025

You're right, the functionality is largely absorbed, but it's still there! The Presentation Layer (L6) responsibilities like encryption/decryption and data syntax are handled by TLS/SSL, which operates below the HTTP application protocol but above the TCP transport layer—effectively occupying L6's original domain. JSON and XML data formatting/translation are also L6 tasks. The Session Layer (L5) responsibilities—establishing, managing, and terminating sessions—are handled by mechanisms like HTTP session tokens (cookies), JWTs, and the connection management features of the Transport Layer (TCP) itself, which keeps the connection open for continuous data exchange. While a developer may only code at L7 (the application logic), they rely entirely on the L5/L6 functions provided by the underlying operating system and browser/server stack. 

0
RO
Answered on 01-08-2025

If a Software Developer uses a standard framework for API development (like Express or Django), which layer is typically responsible for implementing the checkpointing or synchronization mechanism that the old Session Layer was known for? For example, in a long-running data upload, is it strictly handled by the Application Layer logic, or is there an underlying Transport Layer or Session Layer service that helps manage partial transfer recovery?

LI 10-08-2025

Robert, in modern API development, especially with REST (which is stateless), robust checkpointing and transfer resumption for long-running processes are almost always implemented manually by the Application Layer (L7). This involves custom logic—like writing metadata to a database to track progress or using a custom protocol like gRPC—because the native Session Layer functionality is too generic for today's application-specific recovery needs. HTTP itself is designed for short, atomic requests.

0
JA
Answered on 03-12-2025

The Presentation Layer (L6) is where TLS/SSL encryption and decryption occurs, ensuring data confidentiality. The Session Layer (L5) functions are mostly integrated into the Application Layer (L7) session tokens for managing user state. 

CH 08-12-2025

James is correct. When an API uses HTTPS, the process that handles the security handshakes and key exchange is a perfect example of the Presentation Layer's core function—preparing data for secure transfer, even if it's technically implemented as part of the Cloud Technology stack or server configuration.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session