Sessions and cookies

We usually tells that HTTP is stateless. What does this mean?

Stateless means, server does not know about your past request. All requests by your browser are considered as a new one.

For the very first time, you login to a website and search. You will get search results for your request. When you search again, do you login again? If HTTP is stateless, then you should login again. No? But we don’t login again.

Why??

Magic of cookies

These all magic happen because of cookies which are less than size of 4kb.

Session is the period of time that a user spends on a web site. So we can think session as a time interval between login and logout. This session is maintained because of cookies. There are different types of cookies. The cookies used for session management is called session cookie.

Lets see about session cookies.

We can think cookies like an ID card. So first time when we go to a company, we don’t have ID card. If we don’t have an ID, then each day when we enter into the company, we need to give our identity.

If we request for an ID card when we enter first time, then the company will give an ID card. So each time when we go, we don’t need to show our identity. That ID card will acts as a unique identity of us. If we show our ID card of that company, then that will be more than enough. Then the security guard will allow us.

Similarly, in the very first request to the server from a browser, the HTTP request will not have a cookie value. So server will set a new cookie for that browser session and sends it back with the response. So the browser will store the cookie for that domain.

Flow of session management using cookies.

1. Browser sends a new login request R1 to the Facebook server.
2. Then facebook will check whether there is any cookie is sent by the browser.
3. Since this is the new request, there will be no cookie value in the database.
4. So Facebook will send a cookie to your browser and Facebook will store its ID.
5. Then the browser will set that cookie for that Facebook domain.
6. With the each request for Facebook domain, your browser should send the cookie in the HTTP header.
7. Then Facebook will check whether it has the ID sent by the browser. If that exists, then facebook will use the session indicated by the cookie.

cookie-expires option

The first option is expires, which indicates when the cookie should no longer be sent to the server and therefore may be deleted by the browser. Without the expires option, a cookie has a lifespan of a single session. A session is defined as finished when the browser is shut down, so session cookies exist only while the browser remains open. This is why you’ll often see a checkbox when signing into a web application asking if you would like your login information to be saved: if you select yes, then an expires option is attached to the login cookie. If the expires option is set to a date that appears in the past, then the cookie is immediately deleted.

cookie- domain option

The next option is domain, which indicates the domain(s) for which the cookie should be sent. By default, domain is set to the host name of the page setting the cookie, so the cookie value is sent whenever a request is made to the same host name

Most of the web applications use cookies to keep a user logged in while she is using the application. But there are some vulnerabilities in using cookies. There are many types of attacks that can be performed against plain cookies. Man-in-the-middle (MITM), Cross-site request forgery (CSRF), Cross-site scripting (XSS). So there are some mechanisms to avoid session hijacking using cookies.