Cookies and Sessions Charles Severance

Slides:



Advertisements
Similar presentations
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Advertisements

How the web works: HTTP and CGI explained
HTTP Presented By: Holly Mortinson Amy Drout Kyle Balmer & Matt Conklin.
Definitions, Definitions, Definitions Lead to Understanding.
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
HTTP Overview Vijayan Sugumaran School of Business Administration Oakland University.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
2/9/2004 Web and HTTP February 9, /9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.
How the World Wide Web Works
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
Cookies, Sessions, and Authentication Dr. Charles Severance
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
2: Application Layer1 CS 4244: Internet Software Development Dr. Eli Tilevich.
Working with Cookies Managing Data in a Web Site Using JavaScript Cookies* *Check and comply with the current legislation regarding handling cookies.
 The World Wide Web is a collection of electronic documents linked together like a spider web.  These documents are stored on computers called servers.
Feedback #2 (under assignments) Lecture Code:
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.
Web Design (1) Terminology. Coding ‘languages’ (1) HTML - Hypertext Markup Language - describes the content of a web page CSS - Cascading Style Sheets.
Web Database Programming Week 7 Session Management & Authentication.
A Little Bit About Cookies Fort Collins, CO Copyright © XTR Systems, LLC A Little Bit About Cookies Instructor: Joseph DiVerdi, Ph.D., M.B.A.
World Wide Web “WWW”, "Web" or "W3". World Wide Web “WWW”, "Web" or "W3"
Google App Engine MemCache ae-09-session
Google Application Engine Introduction Jim Eng with thanks to Charles Severance
CP476 Internet Computing CGI1 Cookie –Cookie is a mechanism for a web server recall info of accessing of a client browser –A cookie is an object sent by.
Jan 2001C.Watters1 World Wide Web and E-Commerce Client Side Processing.
CITA 310 Section 2 HTTP (Selected Topics from Textbook Chapter 6)
ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7
Fall 2000C.Watters1 World Wide Web and E-Commerce Clients & Client Side Processing.
Google App Engine Sessions and Cookies ae-09-session
1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.
ITM © Port,Kazman 1 ITM 352 Cookies. ITM © Port,Kazman 2 Problem… r How do you identify a particular user when they visit your site (or any.
COMP2322 Lab 2 HTTP Steven Lee Jan. 29, HTTP Hypertext Transfer Protocol Web’s application layer protocol Client/server model – Client (browser):
Sessions and cookies (part 2) MIS 3501, Fall 2015 Brad N Greenwood, PhD Department of MIS Fox School of Business Temple University 11/19/2015.
Week 11: Application Layer 1 Web and HTTP r Web page consists of objects r Object can be HTML file, JPEG image, Java applet, audio file,… r Web page consists.
IN THIS LESSON WE WILL REVIEW THE STRUCTURE OF THE INTERNET AND HOW BROWSERS ASSEMBLE WEBSITES BASED ON INSTRUCTIONS THEY RECEIVE FROM SERVERS. Internet.
COOKIES AND SESSIONS.
National College of Science & Information Technology.
Introduction to Dynamic Web Content
4.01 How Web Pages Work.
Block 5: An application layer protocol: HTTP
Web Development Web Servers.
HTTP request message: general format
How does it work ?.
COMP2322 Lab 2 HTTP Steven Lee Feb. 8, 2017.
Browsing and Searching the Web
E-commerce | WWW World Wide Web - Concepts
Hypertext Transport Protocol
Internet transport protocols services
E-commerce | WWW World Wide Web - Concepts
ITM 352 Cookies.
Client / Session Identification Cookies
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
Client / Session Identification Cookies
The Application Lifecycle
Introduction to Dynamic Web Content
Web Systems Development (CSC-215)
HyperText Transfer Protocol
Cookies and sessions Saturday, February 23, 2019Saturday, February 23,
CSc 337 Lecture 27: Cookies.
Kevin Harville Source: Webmaster in a Nutshell, O'Rielly Books
Back end Development CS Programming Languages for Web Applications
PHP State.
BOF #1 – Fundamentals of the Web
HTTP Hypertext Transfer Protocol
Back end Development CS Programming Languages for Web Applications
Cross Site Request Forgery (CSRF)
CSc 337 Lecture 25: Cookies.
An Introduction to the Internet
Presentation transcript:

Cookies and Sessions Charles Severance www.dr-chuck.com

BROWSER SERVER Python HTML PHP CSS SQL HTTP Hyper Text Transfer Protocol PHP CSS SQL How stuff gets back and forth... How stuff gets made and stored How stuff looks For each of these aspects of the web, we have many standards and languages and techniques to learn.

The read-only web: hypertext navigation and lots of GETs www.umich.edu www.facebook.com www.yahoo.com 29 times images.yahoo.com The read-only web: hypertext navigation and lots of GETs (Screenshot) Source: www.facebook.com (Globe) source: http://www.clker.com/clipart-2123.html (Server) source: http://www.clker.com/clipart-server.html

Servers get used by many users at the same time. (Screenshots) Source: ctools.umich.edu (Globe) source: http://www.clker.com/clipart-2123.html (Server) source: http://www.clker.com/clipart-server.html ctools.umich.edu Servers get used by many users at the same time.

??? ctools.umich.edu When folks hit a button... everyone POSTs (Screenshots) Source: ctools.umich.edu (Globe) source: http://www.clker.com/clipart-2123.html (Server) source: http://www.clker.com/clipart-server.html ??? ctools.umich.edu When folks hit a button... everyone POSTs

??? Server Questions ??? Who is this user? Are they logged in yet? What screen did they come from? What button did they push? Where do we store this data? What screen do they want next?

Over and over and over and over and over and over and over.... ??? Server Questions ??? Who is this user? Are they logged in yet? What screen did they come from? What button did they push? Where do we store this data? What screen do they want next? Over and over and over and over and over and over and over.... same as it ever was

Cookies and Sessions Maintaining State in HTTP

High Level Summary The web is “stateless” - the browser does not maintain a connection to the server while you are looking at a page. You may never come back to the same server - or it may be a long time - or it may be one second later So we need a way for servers to know “which browser is this?” In the browser state is stored in “Cookies” In the server state is stored in “Sessions”

Some Web sites always seem to want to know who you are! Source: https://weblogin.umich.edu/ Some Web sites always seem to want to know who you are!

Other Web sites always seem to know who you are! Sources: www.twitter.com & www.flickr.com Other Web sites always seem to know who you are!

You watch the YouTube video Source: http://www.youtube.com/watch?v=f90ysF9BenI Browser Click Draw Click Draw You watch the YouTube video for 30 seconds Whole Page Whole Page GET GET Server How you see YouTube...

Browser Click Draw Click Draw Whole Page Whole Page GET GET Server How YouTube sees you...

Multi-User When a server is interacting with many different browsers at the same time, the server needs to know *which* browser a particular request came from Request / Response initially was stateless - all browsers looked identical - this was really really bad and did not last very long at all.

Web Cookies to the Rescue Technically, cookies are arbitrary pieces of data chosen by the Web server and sent to the browser. The browser returns them unchanged to the server, introducing a state (memory of previous events) into otherwise stateless HTTP transactions. Without cookies, each retrieval of a Web page or component of a Web page is an isolated event, mostly unrelated to all other views of the pages of the same site. http://en.wikipedia.org/wiki/HTTP_cookie

http://en.wikipedia.org/wiki/HTTP_cookie

Cookies In the Browser Cookies are marked as to the web addresses they come from - the browser only sends back cookies that were originally set by the same web server Cookies have an expiration date - some last for years - others are short-term and go away as soon as the browser is closed

Playing with Cookies Firefox Developer Plugin has a set of cookie features Other browsers have a way to view or change cookies

(Screenshots) Source: ctools.umich.edu

Two Kinds of Cookies Two kinds of cookies Long-lived - who you are - account name last access time - you can close and reopen your browser and it is still there Temporary - used to identify your session - it goes away when you close the browser

The Firefox Web Developer Plugin Shows Cookies for the Current Host.

Google Analytics Cookies

Request Response Again! This time with cookies...

HTTP Request / Response Cycle (Screenshot) Source: www.dr-chuck.com HTTP Request / Response Cycle Web Server (Review) HTTP Request HTTP Response Browser Internet Explorer, FireFox, Safari, etc. http://www.oreilly.com/openbook/cgi/ch04_02.html

HTTP Request / Response Cycle Web Server We do or initial GET to a server. The server checks to see if we have a cookie with a particular name set. Since this our first interaction, we do not have cookies set for this host. GET /index.html HTTP/1.1 Accept: www/source Accept: text/html User-Agent: Lynx/2.4 Browser HTTP Request http://www.oreilly.com/openbook/cgi/ch04_02.html

HTTP Request / Response Cycle Web Server HTTP/1.1 200 OK Content-type: text/html Set-Cookie: sessid=123 <head> .. </head> <body> <h1>Welcome .... Along with the rest of the response, the server sets a cookie with some name (sessid) and sends it back along with the rest of the response. Browser HTTP Response host: sessid=123 http://www.oreilly.com/openbook/cgi/ch04_02.html

HTTP Request / Response Cycle Web Server From that point forward, each time we send a GET or POST to the server, we include any cookies which were set by that host. GET /index.html HTTP/1.1 Accept: www/source Accept: text/html Cookie: sessid=123 User-Agent: Lynx/2.4 Browser HTTP Request host: sessid=123 http://www.oreilly.com/openbook/cgi/ch04_02.html

HTTP Request / Response Cycle Web Server HTTP/1.1 200 OK Content-type: text/html Set-Cookie: name=chuck <head> .. </head> <body> <h1>Welcome .... On each response, the server can change a cookie value or add another cookie. Browser host: sessid=123 host:name=chuck HTTP Response http://www.oreilly.com/openbook/cgi/ch04_02.html

HTTP Request / Response Cycle Web Server From that point forward, each time we send a GET or POST to the server, we include all the cookies which were set by that host. GET /index.html HTTP/1.1 Accept: www/source Accept: text/html Cookie: sessid=123,name=chuck User-Agent: Lynx/2.4 Browser HTTP Request host: sessid=123 host:name=chuck http://www.oreilly.com/openbook/cgi/ch04_02.html

Browser Page Page Page GET POST GET Server Cookies Cookies Cookies GET POST GET Server Remember that cookies are only sent back to the host that set the cookie.

Security We ony send cookies back to the host that originally set the cookie The browser has *lots* of cookies for lots of hosts To ses all Cookies: Firefox -> Preferences -> Privacy -> Show Cookies

Using Cookies to Support Sessions and Login / Logout

Some Web sites always seem to want to know who you are! Source: https://weblogin.umich.edu/ Some Web sites always seem to want to know who you are!

In The Server - Sessions In most server applications, as soon as we meet a new browser - we create a session We set a session cookie to be stored in the browser which indicates the session id in use The creation and destruction of sessions is generally handled by a web framework or some utility code that we just use to manage the sessions

Session Identifier A large, random number that we place in a browser cookie the first time we encounter a browser. This number is used to pick from the many sessions that the server has active at any one time. Server software stores data in the session which it wants to have from one request to another from the same browser. Shopping cart or login information is stored in the session in the server

Server Browser C

Server Request Browser C

Create Session Request Response Server cook=97 Session 97 index: “Please log in” Browser C cook=97 cook=97 Response

We now have a session established but are not yet logged in. Source: https://weblogin.umich.edu/ Server Session 97 Typing We now have a session established but are not yet logged in. Browser C cook=97

Login / Logout Having a session is not the same as being logged in. Generally you have a session the instant you connect to a web site The Session ID cookie is set when the first page is delivered Login puts user information in the session (stored in the server) Logout removes user information from the session

Request Click Server Session 97 login: if good: set user Browser C cook=97 login: if good: set user Browser C cook=97 Click

Request Click Response Server Session 97 user=phil login: if good: cook=97 login: if good: set user Browser C cook=97 Click Response

Server Session 97 user=phil Browser C cook=97

Using Sessions for Other Stuff

Server Browser A cook=10 Session 10 Session 46 user=chuck user=jan bal=$1000 Session 46 user=jan bal=$400 Browser B cook=46

Server Browser A cook=10 Session 10 Session 46 user=chuck user=jan bal=$1000 Session 46 user=jan bal=$500 Browser B cook=46 withdraw: bal=bal-100

Click Server Browser A cook=10 Session 10 Session 46 user=chuck bal=$1000 Session 46 user=jan bal=$500 Browser B cook=46 Click withdraw: bal=bal-100

Server Browser A cook=10 Session 10 Session 46 user=chuck user=jan bal=$1000 Session 46 user=jan bal=$500 cook=46 Browser B cook=46 withdraw: bal=bal-100

Request Response Server Browser A cook=10 Session 10 Session 46 user=chuck bal=$1000 Session 46 user=jan bal=$400 Request cook=46 Browser B cook=46 withdraw: bal=bal-100 Response

Review...

High Level Summary The web is “stateless” - the browser does not maintain a connection to the server while you are looking at a page. You may never come back to the same server - or it may be a long time - or it may be one second later So we need a way for servers to know “which browser is this?” In the browser state is stored in “Cookies” In the server state is stored in “Sessions”

You watch the YouTube video Source: http://www.youtube.com/watch?v=f90ysF9BenI Browser Click Draw Click Draw You watch the YouTube video for an 30 seconds Whole Page Whole Page GET GET Server How you see YouTube...

Browser Click Draw Click Draw Whole Page Whole Page GET GET Server

Browser Click Draw Click Draw Whole Page Whole Page GET GET Server cook=42 cook=42 GET GET Session 42 Session 42 Server

??? Server Questions ??? Who is this user? Are they logged in yet? What screen did they come from? What button did they push? Where do we store this data? What screen do they want next?

Cookie/Session Summary Cookies take the stateless web and allow servers to store small “breadcrumbs” in each browser. Session IDs are large random numbers stored in a cookie and used to maintain a session on the server for each of the browsers connecting to the server Server software stores sessions *somewhere* - each time a request comes back in, the right session is retrieved based on the cookie Server uses the session as a scratch space for little things

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.