Cookies & Sessions Flashcards
Is HTTP stateless?
yes, meaning websites cannot keep the state of a visit across different HTTP requests
What makes HTTP stateful?
Cookies, invented by Netscape in 1994
Cookies
textual info installed by a website into the “cookie jar” of a web browser
Cookie Jar
storage space where a web browser stores cookies
Cookie attributes
actual content expiration date path domain optional flags: http only, secure
Set-Cookie
http header where a server can set a cookie
Where are cookies sent
only to valid domain/path when the are not expired and according to their flags
What fields set the scope of the cookie?
The domain and path field.
What happens when a web server installs a cookie?
The web server sets the domain field to the website. Then the browser will use the cookie for every request sent to that domain and subdomains
What happens to the cookie if the server does not specify the domain attribute?
The browser will auto set the domain as the server domain and set the cookie host-only flag = the cookie will be sent only to that precise hostname.
Http-Only Cookie Attribute
- client sets http-only flag for cookie
- prevents JS, Flash, Java and other non-HTML from reading the cookie
- this prevents XSS cookie stealing
Secure flag (cookie attribute)
creates secure cookies sent ONLY over https
Can a cookie have more than one value?
Yes, a server can set more than one value with KEY=Value pairs
When are cookies often installed?
at login
how does a login cookie work?
- browser send POST request
- server responds with Set-cookie header field telling browser to install cookie
- browser considers header fields for each subsequent request to server
- if checks pass, browser inserts cookie header in request
