Cookies and Sessions Flashcards

1
Q

characteristics of cookies

A

A small package of information sent by a server to a browser, and then sent back by the browser on future page requests.

A cookie’s data consists of a single name/value pair, sent in the header of the client’s HTTP GET or POST request.

can only be associated with one domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

what are the uses of cookies

A
  • authentication
  • user tracking
  • maintaining user preferences, shopping carts, …
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

how are cookies sent

A
  • when the browser requests a page, the server may send back a cookie(s) with it
  • if your server has previously sent any cookies to the browser, the browser will send them back on subsequent requests
  • alternate model: client-side JavaScript code can set/get cookies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

how do tracking cookies work

and how can users block them

A
  • an advertising company can put a cookie on your machine when you visit one site, and see it when you visit another site that also uses that advertising company
  • therefore they can tell that the same person (you) visited both sites
  • not accepting “third-party cookies” (browser setting) thwarts this
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

session cookie vs. persistent cookie

(storage location, deletion process, security)

A

session cookie: the default type; a temporary cookie that is stored only in the browser’s memory

  • when the browser is closed, temporary cookies will be erased
  • safer, because no programs other than the browser can access them

persistent cookie: one that is stored as a file on the browser’s computer

  • can track long-term information
  • less secure; users/programs can open cookie files, see/change the cookie values, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Setting Expiration / Persistent Cookies

A
  • expiration date set —> persistent cookie (in seconds, relative to current timestamp)
  • no expiration date set —> session cookie; expires when browser is closed
    • time function returns the current time in seconds
      • date function can convert a time in seconds to a readable date
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

how to retrieve information form a cookie

A

from the $_COOKIES associative array

  • use isset function to see whether a given cookie name exists
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

how to delete a cookie

A

PHP: setcookie(“name”, FALSE);

or

set a negative expiration date (before the present time):

setcookie(“count”, 21, time() -1);

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

With how many domains can a cookie be associated with?

A

one domain (e.g. www.example.com)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

what is the effect of the cookie attribute Secure and HttpOnly

A

Secure - ensures the cookie is only sent when using HTTPS

HttpOnly - ensures that it should be sent by HTTP/HTTPS requests only; this helps avoid JavaScript security attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

define a session and why are they used

A

a series of HTTP requests and responses between a specific web browser and server

used when a process between html and sever requires multiple communications

because HTTP cannot remember anything (what came before and after), sessions are used. which can be hijacked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

sessions vs. cookies

A

sessions end when user logs out or closes browser; cookies may persist

sessions stored on server (only 1 session per client); cookies store data on the user’s browser

sessions are difficult to hack; cookies are easy

sessions protect private information from being seen by other users on your computer; cookies do not

sessions are often built on top of cookies:

  • the only data the client stores is a cookie holding a unique session ID
  • on each page request, the client sends its session ID cookie, and the server uses this to find and retrieve the client’s session data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

how is a session established

A
  1. client contacts server
  2. server notes client’s IP address/browser, stores some local session data
  3. server sends a session ID back to client (as a cookie)
  4. client sends that same session ID (cookie) back to server on future requests
  5. server uses session ID cookie to retrieve its data for the client’s session later
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

how to start a session in PHP

A

session_start() signifies that your script wants a session with the user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

how to access session data

A

using the $_SESSION associative array

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

how to end a current session

A

session_destroy();

17
Q

when do sessions end and what are issues with such timeout

A
  • because HTTP (not HTML!) is stateless, the server may not know when a user has finished a session
  • ideally, user explicitly logs out, but many users don’t
  • client deletes session cookies when browser closes
  • server automatically cleans up old sessions after a period of time
  • old session data consumes resources and increases security risks