The HTTP protocol is stateless, which means that the HTTP protocol will not retain certain information, such as a username, password, or items in an users online shopping cart. Sessions or cookies are used to store information about a user, such as their username, password, or items in their online shopping cart. As the user navigates to different in your website, the users information can be obtained from the session or cookie, which produces a stateful experience for the user.
Cookies are stored in the clients web browser.
In this example, a web app is configured to create a cookie named myname, and the cookie will obtain the users name, which is Bugs in this example.
When navigating to different pages on the site, Bugs can be displayed by writing code that will get the value of the cookie called myname,
One of the issues with cookies is that cookies are vulnerable to being manipulated. For example, a cookie could be creaed where the name is Evil Hacker instead of Bugs. While this is trivial when it comes to a users name, cookies could be a significant vulnerability when dealing with an online shopping cart.
There are a few common ways to create a session.
- Using a cookie
- Using URL rewriting
- Using SSL
Just like cookies, a session can be created by first creating a cookie in the clients web browsers. However, unlike a cookie, the data in a session is not stored in the cookie. Instead, the cookie contain a unique session ID number, and this session ID number correlated to a file on the server tha contains information such as username, password, and items in a users online shopping cart.
In this example, the cookie is created in the clients web browser. However, the cookie does not contain Bugs. This is considered more secure, as it will be more difficult (but not necessarily impossible) for a malicious users to craft an attack that compromises the security of your web app.
One potential problem with both cookies is that a web browser can be configured to block cookies.