I want to know the basic working of session cookies. When i tried googling, most of the results came were based on any programming language. I am not good at coding. So it will be helpful if someone can explain the working with the format of contents inside the cookie in simple English.
-
http://en.wikipedia.org/wiki/HTTP_cookie – AviD Sep 16 '14 at 08:19
-
How come this an off topic question?An exploit on Session cookies is a major security threat i believe. – Anandu M Das Sep 16 '14 at 08:26
2 Answers
HTTP, the protocol used to communicate with webservers, without cookies is stateless -- it has no memory. You make an HTTP request -- you tell your browser GET me the information from http://www.example.com/page01.html
. The webserver responds to your request and sends back the appropriate data, which your web browser then displays as appropriate. If you then go visit a link to see page02.html
, you start from scratch -- your browser asks the webserver GET the data from http://www.example.com/page02.html
. Yes, the webserver has your IP address, but if two people on your wifi network (same IP) both visit amazon.com, without cookies there would be no way to follow a unique user as they visit a variety of webpages in a weird order.
For interactive webpages where you can do actions on the web page, they need to keep track of the user to function. E.g., if you go to a shopping website and want to add an item to your cart -- they need to keep track of who you are. You wouldn't want some other user to suddenly see the items in your cart, or lose all the items in your cart every time you change the webpage by clicking a link.
Therefore, websites track users with a session cookie. This is just a small text string -- typically 30 to 100 characters or so, that's randomly created for each user to be unique. They store this identifier in a database, and attach information about each user in their database. E.g., the user with the token e097e1136dc79bc1149e32a8a6bde5ef
added 2 of item 38582 to the cart and 1 of item 57372 to their cart.
Then when you fetch a webpage from the dynamic website, you send the website your session cookie with your request -- GET http://www.example.com/dyanamic/page/ -- my cookie for example.com is e097e1136dc79bc1149e32a8a6bde5ef
and then the webserver can look up your session cookie and recall all the information that is saved in the database about you so it can properly render the webpage you are supposed to see.
Note for a random 32 character session cookie with characters being 0-9 a-f, there are 2128 ~ 340 282 366 920 938 463 463 374 607 431 768 211 456 possible session cookies. So even if a billion attackers tried a billion session cookies every second and did this for a billion years, they'd only be a 1 in 10000 chance they'd find your random session cookie.
- 38,936
- 8
- 92
- 162
When you sign in into a site, a token is generated that identify your session. This token is then stored on a cookie, so as long as you keep the cookie (and it doesn't expire), you will be signed directly every time you access the site.
That's why it's important to delete cookies (or better use safe mode) when you are on a public PC.
- 10,587
- 16
- 58
- 89
-
The value of the token remains the same always? Or will it be changed to another. Actually it should change to provide better security right? – Anandu M Das Sep 16 '14 at 07:28
-
it has to remain the same at least until your next login, otherwise it wouldn't identify your session. What I don't know is whether it is updated once you visit the site again, or is always the same until you manually delete it or it reaches the expiration date. In any case, the result is the same, a cookie that identifies you. – The Illusive Man Sep 16 '14 at 07:35
-
I would like make a small research on this. Hope this will surely help. Thanks – Anandu M Das Sep 16 '14 at 07:52
-
@AnanduMDas you asked for a solution in simple English, and you got it. But it seems you rather want a technical solution. – The Illusive Man Sep 16 '14 at 08:20
-
I was starting to research on this topic. So to get base on the topic I asked it here. Your answer really helps. Further I shall do in Google. Thanks – Anandu M Das Sep 16 '14 at 08:24