Client / Session Identification Cookies

Stateless Protocol Remember that: HTTP is a stateless protocol No information needed or kept Each command is executed independently No knowledge of commands that came before application. Information easily retransmitted Website kept simple and light

Client / Session Identification HTTP does not maintain state (state less). State Information can be passed using: HTTP Headers Client IP Address HTTP User Login FAT URLs URLs modified to include user state information are called fat URLs Some web sites keep track of user identity by generating special versions of each URL for each user.  Cookies

Cookies Maintaining State Most major commercial Web sites use cookies today Cookies, defined in [RFC 6265] standard Allow sites (web servers) to keep track of users Reflects personal settings and configurations Each website has its own cookie that is site-specific Using a combination of cookies and user-supplied account information, A Web site can learn a lot about a user and potentially sell this information to a third party Cookies can have several attributes that control their scope including: expiration date, path, domain, port, version, and security options.

Cookies Maintaining State/2 Domain attribute instructs the browser for which domain names it should send the cookie back Path attribute enables the cookie to further be restricted to a certain URL relative to the domain Note: Every time a browser makes a request of any type, it finds all cookies that match the domain and path for the site and sends those cookies along with the request Expires attribute defines an absolute expiration date for the cookie Max-Age attribute defines the number of seconds before the cookie expires If a cookie does not have an Expires or Max-Age attribute, it is deleted when the browser is closed Finally, the HttpOnly attribute restricts the cookie to direct browser requests. Other technologies, such as JavaScript and Flash, will not have access to the cookie. Cookies:

Examples Set-Cookie: user=abc; Path=/restricted;Domain=.foo.example.com Set-Cookie: user=abc; expires=Wed, 21-Dec-2017 15:23:00 GMT Set-Cookie: user=abc; Max-Age=3600 Set-Cookie: key=etrogl7*;Domain=.foo.example.com; secure

Cookies ASCI strings stored at the browser Submitted with each request to a target website Newer cookies will overwrite older cookies There are set restrictions on the number of cookies that can be stored Session cookies Stored only for the duration of a web-session Persistent cookies Remain stored until they expire Privacy risk Can be controlled by web-browser Used to track consumer behavior Harder, but possible to track an individual user

User-server state: cookies Many Web sites use cookies four components: 1) cookie header line of HTTP response message 2) cookie header line in next HTTP request message 3) cookie file kept on user’s host, managed by user’s browser 4) back-end database at Web site example: Ali always access Internet from PC visits specific e-commerce site for first time when initial HTTP requests arrives at site, site creates: unique ID entry in backend database for ID

Example: To set a cookie in a browser, the server includes a Set-Cookie header line in the HTTP header. i.e. this HTTP header sets the cookie “cart” to the value “ATVPDKIKX0DER”: If a browser makes a second request to the same server, it will send the cookie back in a Cookie line in the HTTP request header As long as the server doesn’t reuse cookies, this enables it to track individual users and sessions across multiple, otherwise stateless, HTTP connections Request Response GET /index.html HTTP/1.1 Host: www.example.org Cookie: cart=ATVPDKIKX0DER Accept: text/html HTTP/1.1 200 OK Content-type: text/html Set-Cookie: cart=ATVPDKIKX0DER Cookies:

Cookies: keeping “state” (cont.) client server ebay 8734 usual http request msg Amazon server creates ID 1678 for user create entry cookie file usual http response set-cookie: 1678 ebay 8734 amazon 1678 backend database usual http request msg cookie: 1678 cookie- specific action access usual http response msg usual http request msg cookie: 1678 cookie- specific action access one week later: ebay 8734 amazon 1678 usual http response msg

Cookies (continued) cookies and privacy: what cookies can be used for: authorization shopping carts recommendations user session state (Web e-mail), your student account how to keep “state”: protocol endpoints: maintain state at sender/receiver over multiple transactions cookies: http messages carry state cookies and privacy: cookies permit sites/servers to learn a lot about you you may supply name and e-mail to sites

Using Session Cookies/1 In general, a session is some file, memory segment, object, or container managed by the server or web application that contains various data elements assigned to it. Examples: username, a shopping cart, workflow details, etc. The user’s browser does not hold or maintain any of this data It is managed solely by the server or web application code The missing piece is a link between this container and the user’s browser Thus, sessions are assigned a randomly generated string called a session ID First time a session is created (as a result of a request being received), the session ID for that session is conveyed back to the user’s browser as part of the response Every subsequent request from that user’s browser includes the session ID in some fashion When the application receives the request with the session ID, it can then link the existing session to that request. Cookies:

Using Session Cookies/2 Request Note: Session ID is random instead of a simple sequential ID? Reason: A sequential ID would be predictable, and a predictable ID would make stealing other users’ sessions trivial.

Using Session Cookies/3 The remaining problem to be solved is how the session ID is passed from server to browser and back. There are two techniques used to accomplish this: session cookies (HTTP cookies.) Set-Cookie response header: from the server to the browser Cookie request header: from the browser to the server URL rewriting. The web or application server knows to look for a particular pattern containing the session ID in the URL if found, the application server retrieves the session from the URL. Cookies:

Example: Understanding the Session Cookie Web servers and application servers use cookies: to store session IDs on the client side Thus, in subsequent requests, these IDs can be transmitted back to the server (with each request). By default, in Java EE application servers, the name of this session cookie is JSESSIONID The following example shows the headers from a series of requests and responses between a client browser and a Java EE web application deployed at http://www.example.com/support. Cookies:

Example: Understanding the Session Cookie Request 1 GET /support HTTP/1.1 Host: www.example.com Response 1 HTTP/1.1 302 Moved Temporarily Location: https://www.example.com/support/login Set-Cookie: JSESSIONID=NRxclGg2vG7kI4MdlLn; Domain=.example.com; Path=/; HttpOnly Request 2 GET /support/login HTTP/1.1 Host: www.example.com Cookie: JSESSIONID=NRxclGg2vG7kI4MdlLn Response 2 HTTP/1.1 200 OK Content-Type: text/html;charset=UTF-8 Content-Length: 21765 Request 3 POST /support/login HTTP/1.1 Host: www.example.com Cookie: JSESSIONID=NRxclGg2vG7kI4MdlLn Response 3 HTTP/1.1 302 Moved Temporarily Location: http://www.example.com/support/home Set-Cookie: username=Nick; Expires=Wed, 02-Jun-2021 12:15:47 GMT; Domain=.example.com; Path=/; HttpOnly Request 4 GET /support/home HTTP/1.1 Host: www.example.com Cookie: JSESSIONID=NRxclGg2vG7kI4MdlLn; username=Nick Response 4 HTTP/1.1 200 OK Content-Type: text/html;charset=UTF-8 Content-Length: 56823 Cookies:

Session IDs in the URL Another popular method for transmitting session IDs is through URLs. The web or application server knows to look for a particular pattern containing the session ID in the URL Different technologies use different strategies for embedding and locating session IDs in the URL. For example: PHP uses a query parameter named PHPSESSID: Java EE applications use a different approach. The session ID is placed in a matrix parameter in the last path segment (or directory) in the URL. The keyword used is: JSESSIONID This frees up the query string so that the session ID does not conflict with other parameters in the query string. http://www.example.com/support?PHPSESSID=NRxclGg2vG7kI4MdlLn&foo=bar&high=five http://www.example.com/support;JSESSIONID=NRxclGg2vG7kI4MdlLn?foo=bar&high=five

Cookies A cookie is a name/value pair in the Set-Cookie header field of an HTTP response Most (not all) clients will: Store each cookie received in its file system Send each cookie back to the server that sent it as part of the Cookie header field of subsequent HTTP requests

Cookies Example Tomcat sends session ID as value of cookie named JSESSIONID

Cookies Example Cookie-enabled browser returns session ID as value of cookie named JSESSIONID

Cookies API Servlets can set cookies explicitly Cookie class used to represent cookies request.getCookies() returns an array of Cookie instances representing cookie data in HTTP request response.addCookie(Cookie) adds a cookie to the HTTP response Cookies are expired by client (server can request expiration date)

Cookies Example Return array of cookies contained in HTTP request Search for the cookie named COUNT and extract its value as an int

Cookies Example Send replacement cookie value to client (overwrites existing cookie) Should call addCookie() before writing HTML

Summary Many websites use small strings of text known as cookies to store persistent client-side state between connections. Cookies are passed from server to client and back again in the HTTP headers of requests and responses. Cookies are limited to non-whitespace ASCII text, and may not contain commas or semicolons. Cookies can be used by a server to indicate: session ID, shopping cart contents, login credentials, user preferences, and more. Servers can set more than one cookie in the same response