[Cookies and Sessions] #Cookie #Session

0 - Stateless applications.md

• Web application servers are generally "stateless":
  • Each HTTP request is independent; server can't tell if 2 requests came from the same browser or user.
  • Web server applications maintain no information in memory from request to request (only information on disk survives from one request to another).
• Statelessness not always convenient for application developers: need to tie together a series of requests from the same user.

1 - Browser cookies.md

• Cookie basics:
  • The first time a browser connects with a particular server, there are no cookies.
  • When the server responds it includes a Set-Cookie: header that defines a cookie.
  • Each cookie is just a name-value pair.
  • In the future whenever the browser connects with the same server, it includes a Cookie: header containing the name and value, which the server can use to connect related requests.
• What's in a cookie?
  • Name and data.
    • Data size limited by browsers (typically < 4 KB).
    • A server can define multiple cookies with different names, but browsers limit the number of cookies per server (around 50).
  • Domain for this cookie: server, port (optional), URL prefix (optional). The cookie is only included in requests matching its domain.
  • Expiration date: browser can delete old cookies.

2 - Sessions.md

• Cookies are used by the server to implement sessions:

  • A pool of data related to an active connection (one browser instance).

• Typically the cookie for an application contains an identifier for a session.

• Web frameworks like Rails do most of the work of managing sessions and cookies:

  • Rails provides session, a hash-like object in which you can store anything you like
    • Data will be available in all future requests from the same browser.
  • Rails automatically checks for a session cookie at the start of each request:
    • Cookie exists? use it to find session data
    • No cookie? Create new session, new cookie
  • End of each request: save session data where it can be found by future requests.

• Managing session state:

  • Approach #1: just keep state in main memory
  • Approach #2: store session state in files on disk
  • Approach #3: store session state in a database
  • Most frameworks allow you to control session storage:
    • Provide an object that saves and restores session data.

• Server must eventually delete stale session data.

• Sessions have numerous security issues, which we will discuss later.

3 - Cookie VS Session.md

A cookie is a bit of data stored by the browser and sent to the server with every request.

A session is a collection of data stored on the server and associated with a given user (usually via a cookie containing an id code)

Understanding Cookies and Sessions

What is a "Cookie"?

A cookie is a small piece of text stored on a user's computer by their browser. Common uses for cookies are authentication, storing of site preferences, shopping cart items, and server session identification.

Each time the users' web browser interacts with a web server it will pass the cookie information to the web server. Only the cookies stored by the browser that relate to the domain in the requested URL will be sent to the server. This means that cookies that relate to www.example.com will not be sent to www.exampledomain.com.

In essence, a cookie is a great way of linking one page to the next for a user's interaction with a web site or web application.

What is a "Session"?

A session can be defined as a server-side storage of information that is desired to persist throughout the user's interaction with the web site or web application.

Instead of storing large and constantly changing information via cookies in the user's browser, only a unique identifier is stored on the client side (called a "session id"). This session id is passed to the web server every time the browser makes an HTTP request (ie a page link or AJAX request). The web application pairs this session id with it's internal database and retrieves the stored variables for use by the requested page.