How does the session in web browsers work?


A session allows, for example, that I allow the user to remain logged, saving the information of who is logged in (user_id, for example).

I think it's something more elaborate than cookies , otherwise I could modify my cookie "user_id" from my browser to any number so that I could login as another user.

  • How does the session work?
  • What sets it apart from cookies ?
  • What makes it secure?
asked by anonymous 25.07.2014 / 18:07

3 answers


What is the session

In web projects, a session is the use of an application by a user, usually comprising a sequence of requests.

On the other hand, the session term can also refer to the stored content, location, or storage variable of the state . For example, in Java there is the session map , in PHP the variable superglobal $_SESSION and so on.

How the session works

To identify that the sequence of actions come from the same user, some technique is used to identify it, being the most common:

  • Cookies : A session identifier is placed in a Cookie , which will persist at least until the user shuts down or closes the browser. Remembering that Cookies data is sent from the browser to the server for each request.
  • URL Rewriting : A session identifier is generated on first system access, and all system links add this identifier as a URL parameter. This way, in each request, you can identify the user.
  • It is then realized that the general procedure is to generate a% single% per user and then cause every request to report this id in some way, through which the language, framework, or server can store and retrieve the state from the user session.

    What makes it secure

    Nothing . There are several easy-to-perform attacks on systems that rely only on the session to authenticate and authorize users. The most common is the session hijacking . Just get the Cookie or URL that contains the session handle somehow and put it in another browser.

    Security, however, can be implemented fairly efficiently with asymmetric cryptography (HTTPS / SSL). Certificates signed by certifying authorities (CAs) can also be used to ensure that the conversation is actually being made with whom you expect and not with a "stranger." In addition, the content of Cookies could not be intercepted by an intermediary between client and server, since only real agents could decrypt the data with the private key.

    The Cookies default specifies a id partition parameter that forces a Cookie to only be sent if the connection is secure (HTTPS). This can give some assurance that it will not "escape" by mistake in some HTTP request common to the server.

    Anyway, I'm not a security expert. Certainly there are many pertinent details to this subject, but I hope this is a good introduction.

    25.07.2014 / 18:45

    Sessions generally depend on cookies, but the data is stored on the server. It works like this:

  • A session is started on the server, which sends a cookie to the browser with a unique ID of that session.

  • Any data associated with the session is stored on the server, associated with that ID.

  • In every request, the browser sends back the cookie with the session ID, which allows the server to access the data associated with that ID.

  • Therefore, using sessions is a little safer than storing data directly in cookies, since if someone has access to the cookie, they do not have direct access to the data (not to mention that they do not fit a lot of data in cookies). However, if someone has access to the cookie with the ID of your session, you can "hijack" the session and have the server deliver the data. This is known as session hijacking .

    25.07.2014 / 18:19

    In my simpler designs I use cookies so the user remains logged in, to avoid the problem reported by you do as follows.

    • The user enters his login and password and with the option to remain logged in.
    • This data arrives on the server (User, Password, IP, Browser and other security data) along with a variable that I use as the response for the user to remain online.
    • With a function it generates a random code that is also stored in the database and the same code is stored in the user's cookies.
    • When the user logs in again I check the session by taking the code that is stored in the cookie and comparing it to the database if the user is in the same IP and browser as the session was stored. And complementing check if the session variable is set to 1 (true).
    • When the user wishes to exit, he does not even have to delete the cookie, just assign a 0 (false) in the database and the cookie that contained the code is no longer valid for a session.

    In short, you do not save the user's login data in the cookie, just a code and in the check data table like ID, IP, browser, location, etc. (Avoid saving passwords in this database.)

    I hope I have helped. Any doubts, I am at your disposal.

    25.07.2014 / 19:53