Cookie & Session

Flow

θž’εΉ•ζˆͺεœ– 2020-08-24 δΈ‹εˆ4 40 12

  • user enter username and password and send to server -> doing auth to see whether username or password is matched with the account data from database -> if match create a session to store the relevant data and set cookies with hashed session id-> After login, check whether the session id can be used to find the related session with secret

Cookie

Introduction

  • Cookie is similar with id card

  • When user is logged in, server-side(admin) can send id card (set-cookie) to client-side to prove that user is authenticated, and stored in browser

  • In the request, cookie will be included, so that server can distinguish whether user is authenticated or not

Attributes

Http Only

  • if true, the cookie cannot read by document.cookie on the client side

Secure

  • Cookies will only be sent through https protocol only

Domain & Path

  • The cookie will only be sent when the domain and path specified is included

Life time

  • Define the expiry date through setting expires attribute

  • Define the available time through setting max-age attribute

Same Site

  • For the same site attribute, there are 3 possible values: Strict, Lax and None

  • Strict: cookie will be only sent to the site with the same domain

  • Lax: it is similar with Strict, except that cookies are sent when the user navigates to the cookie's origin site. For example, by following a link from an external site.

  • None: cookie will be sent no matter it is cross-site request or same site request

Third-party cookies

  • Third-party cookie means the cookie from other domain

  • Generally, if third-party is embedded, the cookie with none same-site attribute will be set

  • The server-side can make good use of third-party cookie received from client to do business operation, for example: advertisement

Session

Introduction

  • Sessions are a powerful tool for storing data across different requests while scoping them into single user, different users have different sessions

  • Since some sensitive values (E.g: Authentication status) are not suitable to store into cookie, as it is editable on the browser. Therefore, it is needed to create variable which is independent for each user and store it into server side, which is session

  • The session in the session storage can be stored into database or memory

  • The hashed session id is needed to store into cookie in order to tell server which session the user is belonged to. And only be decrypted in the server-side and return the data from related session

Logout

  • Clear the related session from database/memory, so that session cannot be found anymore even the user own the session id

PreviousPassword ProtectionNextJSON Web Token

Last updated

Was this helpful?