Cookies and Sessions Flashcards
characteristics of cookies
A small package of information sent by a server to a browser, and then sent back by the browser on future page requests.
A cookie’s data consists of a single name/value pair, sent in the header of the client’s HTTP GET or POST request.
can only be associated with one domain
what are the uses of cookies
- authentication
- user tracking
- maintaining user preferences, shopping carts, …
how are cookies sent
- when the browser requests a page, the server may send back a cookie(s) with it
- if your server has previously sent any cookies to the browser, the browser will send them back on subsequent requests
- alternate model: client-side JavaScript code can set/get cookies
how do tracking cookies work
and how can users block them
- an advertising company can put a cookie on your machine when you visit one site, and see it when you visit another site that also uses that advertising company
- therefore they can tell that the same person (you) visited both sites
- not accepting “third-party cookies” (browser setting) thwarts this
session cookie vs. persistent cookie
(storage location, deletion process, security)
session cookie: the default type; a temporary cookie that is stored only in the browser’s memory
- when the browser is closed, temporary cookies will be erased
- safer, because no programs other than the browser can access them
persistent cookie: one that is stored as a file on the browser’s computer
- can track long-term information
- less secure; users/programs can open cookie files, see/change the cookie values, etc.
Setting Expiration / Persistent Cookies
- expiration date set —> persistent cookie (in seconds, relative to current timestamp)
- no expiration date set —> session cookie; expires when browser is closed
- time function returns the current time in seconds
- date function can convert a time in seconds to a readable date
- time function returns the current time in seconds
how to retrieve information form a cookie
from the $_COOKIES associative array
- use isset function to see whether a given cookie name exists
how to delete a cookie
PHP: setcookie(“name”, FALSE);
or
set a negative expiration date (before the present time):
setcookie(“count”, 21, time() -1);
With how many domains can a cookie be associated with?
one domain (e.g. www.example.com)
what is the effect of the cookie attribute Secure and HttpOnly
Secure - ensures the cookie is only sent when using HTTPS
HttpOnly - ensures that it should be sent by HTTP/HTTPS requests only; this helps avoid JavaScript security attacks
define a session and why are they used
a series of HTTP requests and responses between a specific web browser and server
used when a process between html and sever requires multiple communications
because HTTP cannot remember anything (what came before and after), sessions are used. which can be hijacked
sessions vs. cookies
sessions end when user logs out or closes browser; cookies may persist
sessions stored on server (only 1 session per client); cookies store data on the user’s browser
sessions are difficult to hack; cookies are easy
sessions protect private information from being seen by other users on your computer; cookies do not
sessions are often built on top of cookies:
- the only data the client stores is a cookie holding a unique session ID
- on each page request, the client sends its session ID cookie, and the server uses this to find and retrieve the client’s session data
how is a session established
- client contacts server
- server notes client’s IP address/browser, stores some local session data
- server sends a session ID back to client (as a cookie)
- client sends that same session ID (cookie) back to server on future requests
- server uses session ID cookie to retrieve its data for the client’s session later
how to start a session in PHP
session_start() signifies that your script wants a session with the user
how to access session data
using the $_SESSION associative array