Presentation is loading. Please wait.

Presentation is loading. Please wait.

Client / Session Identification Cookies

Published byHomer Stokes Modified over 6 years ago

Similar presentations

Presentation on theme: "Client / Session Identification Cookies"— Presentation transcript:

1 Client / Session Identification Cookies

2 Stateless Protocol Remember that: HTTP is a stateless protocol
No information needed or kept Each command is executed independently No knowledge of commands that came before application. Information easily retransmitted Website kept simple and light

3 Client / Session Identification
HTTP does not maintain state (state less). State Information can be passed using: HTTP Headers Client IP Address HTTP User Login FAT URLs URLs modified to include user state information are called fat URLs Some web sites keep track of user identity by generating special versions of each URL for each user.  Cookies

4 Cookies Maintaining State
Most major commercial Web sites use cookies today Cookies, defined in [RFC 6265] standard Allow sites (web servers) to keep track of users Reflects personal settings and configurations Each website has its own cookie that is site-specific Using a combination of cookies and user-supplied account information, A Web site can learn a lot about a user and potentially sell this information to a third party Cookies can have several attributes that control their scope including: expiration date, path, domain, port, version, and security options.

5 Cookies Maintaining State/2
Domain attribute instructs the browser for which domain names it should send the cookie back Path attribute enables the cookie to further be restricted to a certain URL relative to the domain Note: Every time a browser makes a request of any type, it finds all cookies that match the domain and path for the site and sends those cookies along with the request Expires attribute defines an absolute expiration date for the cookie Max-Age attribute defines the number of seconds before the cookie expires If a cookie does not have an Expires or Max-Age attribute, it is deleted when the browser is closed Finally, the HttpOnly attribute restricts the cookie to direct browser requests. Other technologies, such as JavaScript and Flash, will not have access to the cookie. Cookies:

6 Examples Set-Cookie: user=abc; Path=/restricted;Domain=.foo.example.com Set-Cookie: user=abc; expires=Wed, 21-Dec :23:00 GMT Set-Cookie: user=abc; Max-Age=3600 Set-Cookie: key=etrogl7*;Domain=.foo.example.com; secure

7 Cookies ASCI strings stored at the browser
Submitted with each request to a target website Newer cookies will overwrite older cookies There are set restrictions on the number of cookies that can be stored Session cookies Stored only for the duration of a web-session Persistent cookies Remain stored until they expire Privacy risk Can be controlled by web-browser Used to track consumer behavior Harder, but possible to track an individual user

8 User-server state: cookies
Many Web sites use cookies four components: 1) cookie header line of HTTP response message 2) cookie header line in next HTTP request message 3) cookie file kept on user’s host, managed by user’s browser 4) back-end database at Web site example: Ali always access Internet from PC visits specific e-commerce site for first time when initial HTTP requests arrives at site, site creates: unique ID entry in backend database for ID

9 Example: To set a cookie in a browser, the server includes a Set-Cookie header line in the HTTP header. i.e. this HTTP header sets the cookie “cart” to the value “ATVPDKIKX0DER”: If a browser makes a second request to the same server, it will send the cookie back in a Cookie line in the HTTP request header As long as the server doesn’t reuse cookies, this enables it to track individual users and sessions across multiple, otherwise stateless, HTTP connections Request Response GET /index.html HTTP/1.1 Host: Cookie: cart=ATVPDKIKX0DER Accept: text/html HTTP/ OK Content-type: text/html Set-Cookie: cart=ATVPDKIKX0DER Cookies:

10 Cookies: keeping “state” (cont.)
client server ebay 8734 usual http request msg Amazon server creates ID 1678 for user create entry cookie file usual http response set-cookie: 1678 ebay 8734 amazon 1678 backend database usual http request msg cookie: 1678 cookie- specific action access usual http response msg usual http request msg cookie: 1678 cookie- specific action access one week later: ebay 8734 amazon 1678 usual http response msg

11 Cookies (continued) cookies and privacy: what cookies can be used for:
authorization shopping carts recommendations user session state (Web ), your student account how to keep “state”: protocol endpoints: maintain state at sender/receiver over multiple transactions cookies: http messages carry state cookies and privacy: cookies permit sites/servers to learn a lot about you you may supply name and to sites

12 Using Session Cookies/1
In general, a session is some file, memory segment, object, or container managed by the server or web application that contains various data elements assigned to it. Examples: username, a shopping cart, workflow details, etc. The user’s browser does not hold or maintain any of this data It is managed solely by the server or web application code The missing piece is a link between this container and the user’s browser Thus, sessions are assigned a randomly generated string called a session ID First time a session is created (as a result of a request being received), the session ID for that session is conveyed back to the user’s browser as part of the response Every subsequent request from that user’s browser includes the session ID in some fashion When the application receives the request with the session ID, it can then link the existing session to that request. Cookies:

13 Using Session Cookies/2
Request Note: Session ID is random instead of a simple sequential ID? Reason: A sequential ID would be predictable, and a predictable ID would make stealing other users’ sessions trivial.

14 Using Session Cookies/3
The remaining problem to be solved is how the session ID is passed from server to browser and back. There are two techniques used to accomplish this: session cookies (HTTP cookies.) Set-Cookie response header: from the server to the browser Cookie request header: from the browser to the server URL rewriting. The web or application server knows to look for a particular pattern containing the session ID in the URL if found, the application server retrieves the session from the URL. Cookies:

15 Example: Understanding the Session Cookie
Web servers and application servers use cookies: to store session IDs on the client side Thus, in subsequent requests, these IDs can be transmitted back to the server (with each request). By default, in Java EE application servers, the name of this session cookie is JSESSIONID The following example shows the headers from a series of requests and responses between a client browser and a Java EE web application deployed at Cookies:

16 Example: Understanding the Session Cookie
Request 1 GET /support HTTP/1.1 Host: Response 1 HTTP/ Moved Temporarily Location: Set-Cookie: JSESSIONID=NRxclGg2vG7kI4MdlLn; Domain=.example.com; Path=/; HttpOnly Request 2 GET /support/login HTTP/1.1 Host: Cookie: JSESSIONID=NRxclGg2vG7kI4MdlLn Response 2 HTTP/ OK Content-Type: text/html;charset=UTF-8 Content-Length: 21765 Request 3 POST /support/login HTTP/1.1 Host: Cookie: JSESSIONID=NRxclGg2vG7kI4MdlLn Response 3 HTTP/ Moved Temporarily Location: Set-Cookie: username=Nick; Expires=Wed, 02-Jun :15:47 GMT; Domain=.example.com; Path=/; HttpOnly Request 4 GET /support/home HTTP/1.1 Host: Cookie: JSESSIONID=NRxclGg2vG7kI4MdlLn; username=Nick Response 4 HTTP/ OK Content-Type: text/html;charset=UTF-8 Content-Length: 56823 Cookies:

17 Session IDs in the URL Another popular method for transmitting session IDs is through URLs. The web or application server knows to look for a particular pattern containing the session ID in the URL Different technologies use different strategies for embedding and locating session IDs in the URL. For example: PHP uses a query parameter named PHPSESSID: Java EE applications use a different approach. The session ID is placed in a matrix parameter in the last path segment (or directory) in the URL. The keyword used is: JSESSIONID This frees up the query string so that the session ID does not conflict with other parameters in the query string.

18 Cookies A cookie is a name/value pair in the Set-Cookie header field of an HTTP response Most (not all) clients will: Store each cookie received in its file system Send each cookie back to the server that sent it as part of the Cookie header field of subsequent HTTP requests

19 Cookies Example Tomcat sends session ID as value of cookie named
JSESSIONID

20 Cookies Example Cookie-enabled browser returns session ID as value
of cookie named JSESSIONID

21 Cookies API Servlets can set cookies explicitly
Cookie class used to represent cookies request.getCookies() returns an array of Cookie instances representing cookie data in HTTP request response.addCookie(Cookie) adds a cookie to the HTTP response Cookies are expired by client (server can request expiration date)

22 Cookies Example Return array of cookies contained in HTTP request
Search for the cookie named COUNT and extract its value as an int

23 Cookies Example Send replacement cookie value to client (overwrites
existing cookie) Should call addCookie() before writing HTML

24 Summary Many websites use small strings of text known as cookies to store persistent client-side state between connections. Cookies are passed from server to client and back again in the HTTP headers of requests and responses. Cookies are limited to non-whitespace ASCII text, and may not contain commas or semicolons. Cookies can be used by a server to indicate: session ID, shopping cart contents, login credentials, user preferences, and more. Servers can set more than one cookie in the same response

Download ppt "Client / Session Identification Cookies"

Similar presentations

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
HTTP Cookies. CPSC 441 - Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.

HTTP Cookies. CPSC Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.
HTTP and Cookies February 26, 2003 Kyle Miyamoto Dawn Namahoe Daniel Young Wendi Young.

HTTP and Cookies February 26, 2003 Kyle Miyamoto Dawn Namahoe Daniel Young Wendi Young.
HyperText Transfer Protocol (HTTP)

HyperText Transfer Protocol (HTTP)
Chapter 2: Application Layer

Chapter 2: Application Layer
HyperText Transfer Protocol (HTTP) Computer Networks Computer Networks Spring 2012 Spring 2012.

HyperText Transfer Protocol (HTTP) Computer Networks Computer Networks Spring 2012 Spring 2012.
Web, HTTP and Web Caching

Web, HTTP and Web Caching
Definitions, Definitions, Definitions Lead to Understanding.

Definitions, Definitions, Definitions Lead to Understanding.
Chapter 10 Managing State Information PHP Programming with MySQL.

Chapter 10 Managing State Information PHP Programming with MySQL.
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.

Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
2/9/2004 Web and HTTP February 9, 2004. 2/9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.

2/9/2004 Web and HTTP February 9, /9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.

Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.

CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.
IT533 Lectures Session Management in ASP.NET. Session Tracking 2 Personalization Personalization makes it possible for e-businesses to communicate effectively.

IT533 Lectures Session Management in ASP.NET. Session Tracking 2 Personalization Personalization makes it possible for e-businesses to communicate effectively.
CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.

CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.

Similar presentations

Ads by Google