Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
Risent Veber2016-08-27 14:20:18
PHP
Risent Veber, 2016-08-27 14:20:18

How exactly are sessions and cookies arranged?

As a rule, when executing code on the server, the programmer is given access to such storage variables as cookies and session. On the client, with javascript, we can only access cookies.
As far as I know, cookies are stored on the client (browser), and session on the server.
The following questions arise:

  1. How are cookies synchronized when they are accessed from the server (what http headers are used for this, or is it a separate request, or when changing them on the client, the browser sends some kind of request to the server)?
  2. Where exactly is the session data stored and how does the server understand how to map specific session data to a specific http request?
  3. Is it true that sessions are just encrypted cookies on the client?
  4. If cookies are disabled on the client side, how is user authorization and session management implemented in this case?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
R
Roman Kitaev, 2016-08-27
@risentveber

1. There is no synchronization. The server can only tell the client that it needs to set cookie X to Y with the Set-Cookie header and read the cookie request from the server (all cookies are sent in every server request).
2. Sessions can be stored on the client (signed cookie session). This uses cookie signing using HMAC.so that the session data cannot be freely modified by the client. But usually sessions are stored on the server. There is a huge choice here: from databases and key-value storages (Redis, for example) to simple files. At the same time, a session ID cookie is sent to the client (this is how the server identifies the user), which an attacker can steal. These cookies, in order to protect users from XSS, are set with the HttpOnly flag, which advises the browser not to give this cookie to scripts like JS. In this case, stealing the cookie will only be possible by taking possession of the browser, the user's file system, or through a browser bug.
3. See the second answer. In some cases, yes. But rarely.
4. You can pass the session id value in the URL string (GET as a parameter), like this: example.com/some/page/?session_id=2af26905dcf31a1d...Some services use this as a fallback option, however, it is very insecure because any XSS or simple harmless JS like Yandex.Metrica sees the entire URL. So, we send the user to enable cookies.

Report
N
nuclear_kote, 2016-08-27
@nuclear_kote

Cookies - a file on the client that stores some data in the form of a key-knowledge and is transmitted in the header https of the request
. The session identifier is stored on the client, by which data about the client is obtained on the server

Similar questions
B
Boris Greinov2021-03-18 20:53:14
Synthesizing speech to a website but not Web Speech Api? 3Reply
M
MrLumusss2022-01-12 20:01:57
Is it possible to enable XMP if some dice don't support it? 4Reply
M
Mikhail Potapenkov2016-06-13 18:20:30
On initial startup, the OS issues a blue screen 0x0000007B. What does it mean? 4Reply
S
sinout2017-04-05 02:08:24
Does it make sense to use Immutable along with React? 4Reply
A
Anton2021-03-27 12:39:53
Getting the selected radio item and passing it to the email body, how to display the selected item? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question