Cookies and Sessions
Cookies and SessionsSometimes, websites need to track the movement of visitors. They need to understand when a user is logged in. For example, when you log into Gmail and then navigate to the 'Compose Mail' web page of Gmail, it does not ask you to log in again. It 'remembers' that you are already logged in. Websites remember and track logged in users using cookies and sessions. Let us see how this works.
CookiesA cookie is a small piece of text stored on our browser. Our browser stores a cookie associated with every domain we browse. Common uses for cookies are authentication, storing of site preferences, server session etc. Each time we enter some domain (www.example.com), our browser (Firefox) interacts with the web server corresponding to the domain. Our browser sends cookie information relevant to the web server to the web server. Only the cookies stored by the browser that is relevant to the domain in the requested URL will be sent to the server. This means that cookies that relate to www.example.com will not be sent to www.exampledomain.com. This cookie enables the web server to identify the user who is browsing any web page.
SessionsA session is used to store data on the web server. Whenever we browse a new website, a new session is created on the web server and a corresponding cookie is created on our browser. Now, when we navigate to any web page on the same web server, our browser sends the cookie information stored on our browser to the web server. The web server matches this cookie with the session stored on it. If the cookie and session match, then authentication is confirmed and the web server knows that we are accessing it. This is how a website understands that we are logged in. Now, suppose we close the browser without logging out. In this case, the cookie stored on our browser gets destroyed. However, the session remains on the server. Now, if we come back to the same web page, the cookie information sent by our browser to the web server will not match the session information stored on it. Therefore, we will not be treated as the same user. However, if we are somehow able to manipulate the cookie information and make it same as that when we were logged in, then the web server would treat us as a logged in user. Also, when we click the 'Remember me' option on any website and then close the browser, the cookie corresponding to that website will not be deleted.When we log out of the website, then both the cookie and session get destroyed.
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!