Cookie & Session

PreviousPassword Protection NextJSON Web Token

Last updated 2 years ago

Was this helpful?

Cookie & Session

Flow

user enter username and password and send to server -> doing auth to see whether username or password is matched with the account data from database -> if match create a session to store the relevant data and set cookies with hashed session id-> After login, check whether the session id can be used to find the related session with secret

Introduction

Cookie is similar with id card
When user is logged in, server-side(admin) can send id card (set-cookie) to client-side to prove that user is authenticated, and stored in browser
In the request, cookie will be included, so that server can distinguish whether user is authenticated or not

Attributes

Http Only

if true, the cookie cannot read by document.cookie on the client side

Secure

Cookies will only be sent through https protocol only

Domain & Path

The cookie will only be sent when the domain and path specified is included

Life time

Define the expiry date through setting expires attribute
Define the available time through setting max-age attribute

Same Site

For the same site attribute, there are 3 possible values: Strict, Lax and None
Strict: cookie will be only sent to the site with the same domain
Lax: it is similar with Strict, except that cookies are sent when the user navigates to the cookie's origin site. For example, by following a link from an external site.
None: cookie will be sent no matter it is cross-site request or same site request

Third-party cookies

Third-party cookie means the cookie from other domain
Generally, if third-party is embedded, the cookie with none same-site attribute will be set
The server-side can make good use of third-party cookie received from client to do business operation, for example: advertisement

Session

Introduction

Sessions are a powerful tool for storing data across different requests while scoping them into single user, different users have different sessions
Since some sensitive values (E.g: Authentication status) are not suitable to store into cookie, as it is editable on the browser. Therefore, it is needed to create variable which is independent for each user and store it into server side, which is session
The session in the session storage can be stored into database or memory
The hashed session id is needed to store into cookie in order to tell server which session the user is belonged to. And only be decrypted in the server-side and return the data from related session

Logout

Clear the related session from database/memory, so that session cannot be found anymore even the user own the session id

PreviousPassword Protection NextJSON Web Token

Last updated 2 years ago

Was this helpful?

Flow

user enter username and password and send to server -> doing auth to see whether username or password is matched with the account data from database -> if match create a session to store the relevant data and set cookies with hashed session id-> After login, check whether the session id can be used to find the related session with secret

Introduction

Cookie is similar with id card
When user is logged in, server-side(admin) can send id card (set-cookie) to client-side to prove that user is authenticated, and stored in browser
In the request, cookie will be included, so that server can distinguish whether user is authenticated or not

Attributes

Http Only

if true, the cookie cannot read by document.cookie on the client side

Secure

Cookies will only be sent through https protocol only

Domain & Path

The cookie will only be sent when the domain and path specified is included

Life time

Define the expiry date through setting expires attribute
Define the available time through setting max-age attribute

Same Site

For the same site attribute, there are 3 possible values: Strict, Lax and None
Strict: cookie will be only sent to the site with the same domain
Lax: it is similar with Strict, except that cookies are sent when the user navigates to the cookie's origin site. For example, by following a link from an external site.
None: cookie will be sent no matter it is cross-site request or same site request

Third-party cookies

Third-party cookie means the cookie from other domain
Generally, if third-party is embedded, the cookie with none same-site attribute will be set
The server-side can make good use of third-party cookie received from client to do business operation, for example: advertisement

Session

Introduction

Sessions are a powerful tool for storing data across different requests while scoping them into single user, different users have different sessions
Since some sensitive values (E.g: Authentication status) are not suitable to store into cookie, as it is editable on the browser. Therefore, it is needed to create variable which is independent for each user and store it into server side, which is session
The session in the session storage can be stored into database or memory
The hashed session id is needed to store into cookie in order to tell server which session the user is belonged to. And only be decrypted in the server-side and return the data from related session

Logout

Clear the related session from database/memory, so that session cannot be found anymore even the user own the session id