Date post: | 28-Feb-2018 |
Category: |
Documents |
Upload: | hjgfd-itfrityf |
View: | 216 times |
Download: | 0 times |
of 47
7/25/2019 07 Cookie Session
1/47
Cookies and Sessions
Maintaining State in HTTP
7/25/2019 07 Cookie Session
2/47
7/25/2019 07 Cookie Session
3/47
High Level Summary
The web is stateless - the browser does not maintain a connection
to the server while you are looking at a page. Yu may never comeback to the same server - or it may be a long time - or it may be onesecond later
So we need a way for servers to know which browser is this?
In the browser state is stored in Cookies In the server state is stored in Sessions
7/25/2019 07 Cookie Session
4/47
Some Web sites always seem to want to know who you are!
7/25/2019 07 Cookie Session
5/47
Other Web sites always seem to know who you are!
7/25/2019 07 Cookie Session
6/47
Browser
Server
GET
WholePage
GET
WholePage
Draw Draw
You watch the YouTube videofor an 30 seconds
How you see YouTube...
ClickClick
7/25/2019 07 Cookie Session
7/47
Browser
Server
GET
WholePage
GET
WholePage
How YouTube sees you...
Draw DrawClickClick
7/25/2019 07 Cookie Session
8/47
Multi-User
When a server is interacting with many different browsers at the sametime, the server needs to know *which* browser a particular requestcame from
Request / Response initially was stateless - all browsers lookedidentical - this was really really bad and did not last very long at all.
7/25/2019 07 Cookie Session
9/47
Web Cookies to the Rescue
http://en.wikipedia.org/wiki/HTTP_cookie
Technically, cookies are arbitrary pieces of data chosen by the Web
server and sent to the browser. The browser returns them unchanged tothe server, introducing a state (memory of previous events) into
otherwise stateless HTTP transactions. Without cookies, each retrievalof a Web page or component of a Web page is an isolated event,mostly unrelated to all other views of the pages of the same site.
7/25/2019 07 Cookie Session
10/47
http://en.wikipedia.org/wiki/HTTP_cookie
7/25/2019 07 Cookie Session
11/47
Cookies In the Browser
Cookies are marked as to the web addresses they come from - thebrowser only sends back cookies that were originally set by the sameweb server
Cookies have an expiration date - some last for years - others areshort-term and go away as soon as the browser is closed
7/25/2019 07 Cookie Session
12/47
Playing with Cookies
Firefox Developer Plugin has a set of cookie features
Other browsers have a way to view or change cookies
7/25/2019 07 Cookie Session
13/47
7/25/2019 07 Cookie Session
14/47
Cookies
Identifying Individual Users
The Web is stateless
How do we make the web seem not to be stateless
7/25/2019 07 Cookie Session
15/47
Request Response Again!
7/25/2019 07 Cookie Session
16/47
HTTP Request / Response Cycle
http://www.oreilly.com/openbook/cgi/ch04_02.html
Browser
Web Server
HTTPRequest HTTPResponse
Internet Explorer,FireFox, Safari, etc.
(Review)
7/25/2019 07 Cookie Session
17/47
HTTP Request / Response Cycle
GET /index.html HTTP/1.1
Accept: www/sourceAccept: text/htmlUser-Agent: Lynx/2.4
http://www.oreilly.com/openbook/cgi/ch04_02.html
Browser
Web Server
HTTPRequest
We do or initialGET to a server. Theserver checks to see if
we have a cookie witha particular name set.
Since this our firstinteraction, we have
not cookies set for this
host.
7/25/2019 07 Cookie Session
18/47
HTTP Request / Response Cycle
http://www.oreilly.com/openbook/cgi/ch04_02.html
Browser
Web Server
HTTPResponse
HTTP/1.1 200 OKContent-type: text/htmlSet-Cookie: sessid=123
.. Welcome ....
host: sessid=123
Along with the rest ofthe response, the
server sets a cookiewith some name
(sessid)and sends itback along with therest of the response.
7/25/2019 07 Cookie Session
19/47
HTTP Request / Response Cycle
GET /index.html HTTP/1.1
Accept: www/sourceAccept: text/htmlCookie: sessid=123User-Agent: Lynx/2.4
http://www.oreilly.com/openbook/cgi/ch04_02.html
Browser
Web Server
HTTPRequest
host: sessid=123
From that pointforward, each time we
send a GET or POSTto the server, we
include any cookieswhich were set by that
host.
7/25/2019 07 Cookie Session
20/47
HTTP Request / Response Cycle
http://www.oreilly.com/openbook/cgi/ch04_02.html
Browser
Web Server
HTTPResponse
HTTP/1.1 200 OKContent-type: text/htmlSet-Cookie: name=chuck
.. Welcome ....
host: sessid=123host:name=chuck
On each response, theserver can change acookie value or add
another cookie.
7/25/2019 07 Cookie Session
21/47
HTTP Request / Response Cycle
GET /index.html HTTP/1.1
Accept: www/sourceAccept: text/htmlCookie: sessid=123,name=ChuckUser-Agent: Lynx/2.4
http://www.oreilly.com/openbook/cgi/ch04_02.html
Browser
Web Server
HTTPRequest
From that pointforward, each time we
send a GET or POSTto the server, we
include all the cookieswhich were set by that
host.
host: sessid=123host:name=chuck
7/25/2019 07 Cookie Session
22/47
Security
We ony send cookies back to thehost that originally set the cookie
The browser has *lots* of cookiesfor lots of hosts
To ses all Cookies: Firefox ->Preferences -> Privacy -> ShowCookies
7/25/2019 07 Cookie Session
23/47
The Firefox WebDeveloper Plugin
Shows Cookies forthe Current Host.
7/25/2019 07 Cookie Session
24/47
Two Kinds of Cookies
Two kinds of cookie Long-lived - who you are - account name last access time - you can
close and reopen your browser and it is still there
Temporary - used to identify your session - it goes away when youclose the browser
7/25/2019 07 Cookie Session
25/47
7/25/2019 07 Cookie Session
26/47
Using Cookies to Support Sessionsand Login / Logout
7/25/2019 07 Cookie Session
27/47
Some Web sites always seem to want to know who you are!
7/25/2019 07 Cookie Session
28/47
In The Server - Sessions
In most server applications, as soon as we meet a new browser - wecreate a session
We set a session cookie to be stored in the browser which indicatesthe session id in use
The creation and destruction of sessions is generally handled by a webframework or some utility code that we just use to manage thesessions
7/25/2019 07 Cookie Session
29/47
Session Identifier
A large, random number that we place in a browser cookie the firsttime we encounter a browser.
This number is used to pick from the many sessions that the serverhas active at any one time.
Server software stores data in the session which it wants to have fromone request to another from the same browser.
Shopping cart or login information is stored in the session in theserver
7/25/2019 07 Cookie Session
30/47
Server
Session 97
Browser C
cook=97
Request
Response
index:
Pleaselog incook=9
7
Create
Session
7/25/2019 07 Cookie Session
31/47
Server
Session 97
Browser C
cook=97
Typing
We now have asession established
but are not yetlogged in.
7/25/2019 07 Cookie Session
32/47
Login / Logout
Having a session is not the same as being logged in.
Generally you have a session the instant you connect to a web site
The Session ID cookie is set when the first page is delivered
Login puts user information in the session (stored in the server)
Logout removes user information from the session
7/25/2019 07 Cookie Session
33/47
Server
Session 97
Browser C
cook=97
Request
login:
if good:set user
Click
cook=9
7
7/25/2019 07 Cookie Session
34/47
Server
Session 97
user=phil
Browser C
cook=97
Request
login:
if good:set user
Click
Response
cook=9
7
7/25/2019 07 Cookie Session
35/47
Server
Session 97
user=phil
Browser C
cook=97
7/25/2019 07 Cookie Session
36/47
Using Sessions for Other Stuff
7/25/2019 07 Cookie Session
37/47
Server
Browser A
cook=10
Browser B
cook=46
Session 10
user=chuckbal=$1000
Session 46
user=janbal=$400
7/25/2019 07 Cookie Session
38/47
Server
Session 10
user=chuckbal=$1000
Session 46
user=janbal=$500
Browser A
cook=10
Browser B
cook=46
withdraw:
bal=bal-100
7/25/2019 07 Cookie Session
39/47
Server
Session 10
user=chuckbal=$1000
Session 46
user=janbal=$500
Browser A
cook=10
Browser B
cook=46
withdraw:
bal=bal-100
Click
7/25/2019 07 Cookie Session
40/47
Server
Session 10
user=chuckbal=$1000
Session 46
user=janbal=$500
Browser A
cook=10
Browser B
cook=46
cook=46
withdraw:
bal=bal-100
7/25/2019 07 Cookie Session
41/47
Server
Session 10
user=chuckbal=$1000
Session 46
user=janbal=$400
Browser A
cook=10
Browser B
cook=46
cook=46
withdraw:
bal=bal-100Response
Request
7/25/2019 07 Cookie Session
42/47
Review...
7/25/2019 07 Cookie Session
43/47
High Level Summary
The web is stateless - the browser does not maintain a connectionto the server while you are looking at a page. Yu may never come
back to the same server - or it may be a long time - or it may be onesecond later
So we need a way for servers to know which browser is this?
In the browser state is stored in Cookies
In the server state is stored in Sessions
7/25/2019 07 Cookie Session
44/47
Browser
Server
GET
WholePage
GET
WholePage
Draw Draw
You watch the YouTube videofor an 30 seconds
How you see YouTube...
ClickClick
7/25/2019 07 Cookie Session
45/47
Browser
Server
Draw DrawClickClick
GET
WholePage
GET
WholePage
7/25/2019 07 Cookie Session
46/47
Browser
Server
Draw DrawClickClick
GET
WholePage
GET
WholePage
Session 42
co
ok=42
co
ok=42
Session 42
7/25/2019 07 Cookie Session
47/47
Cookie/Session Summary
Cookies take the stateless web and allow servers to store smallbreadcrumbs in each browser.
Session IDs are large random numbers stored in a cookie and used tomaintain a session on the server for each of the browsers connectingto the server
Server software stores sessions *somewhere* - each time a requestcomes back in, the right session is retrieved based on the cookie
Server uses the session as a scratch space for little things