26
A session allows, for example, that I allow the user to remain logged in, saving the information of who is logged in (username, for example).
I believe it’s something more elaborate than cookies, because otherwise I could modify the cookie "my browser user id" to any number, and so I could log in as another user.
24
In web projects, a session is the use of an application by a user, usually comprising a sequence of requests.
On the other hand, the term session may also refer to the content, location or storage variable of the state stored. For example, in Java there is the session map, in PHP the superglobal variable $_SESSION and so on.
To identify that the sequence of actions come from the same user, some technique is used to identify it, the most common being:
It is then understood that the general procedure is to generate a id single per user and then have every request enter this id in some way, through which the language, the framework or the server can store and retrieve the state user session.
Nothingness. There are several easy-to-perform attacks on systems that rely only on the session to authenticate and authorize users. The most common is the sequestration. Just get somehow the Cookie or URL that contains the session identifier and put it in any other browser.
Security, however, can be implemented reasonably efficiently with asymmetric encryption (HTTPS/SSL). Certificates signed by certifying authorities (CA’s) can also be used to ensure that the conversation is actually being done with whom you expect and not with a "stranger". In addition, the content of Cookies could not be intercepted by an intermediary between client and server, because only the true agents could decrypt the data with the private key.
The pattern of Cookies specifies a parameter secure what force a Cookie to be sent only if the connection is secure (HTTPS). This can give a certain assurance that it will not "escape" by mistake in some HTTP request common to the server.
Anyway, I’m not a security expert. There are certainly many details pertinent to this subject, but I hope this is a good introduction.
13
Sessions usually depend on cookies, but the data is stored on the server. It works like this:
A session is started on the server, which sends a cookie to the browser with a unique ID of that session.
Any data associated with the session is stored on the server, associated with that ID.
In any request, the browser sends back the cookie with the session ID, which allows the server to give access to the data associated with that ID.
Therefore, using sessions is a little safer than storing data directly in cookies, since if someone has access to the cookie they do not have direct access to the data (not to mention that they do not fit a lot of data in cookies). However, if someone has access to the cookie with your session ID, you can "hijack" the session and make the server deliver the data. This is known as Session Hijacking.
And if I disable browser cookies the session simply doesn’t work?
Yes, it doesn’t work... That’s why websites use session (like any login site) require cookies enabled.
Interesting, I had never attempted it. Thank you for the answer.
This is not entirely true - cookieless Sessions also exist: http://stackoverflow.com/questions/2273066/what-are-cookieless-sessions
@Onosendai Yes, I had not thought about it. I fitted a "usually" in the answer.
5
In my simplest projects I use cookies so that the user remains logged in, to avoid the problem reported by you do as follows.
In short, you do not store the user login data in the cookie, only a code and in the table verification data such as ID, IP, browser, location, etc (Avoid storing passwords in this database).
I hope I’ve helped. Any doubts, I’m available.
Browser other questions tagged security-guard session web-application cookies
You are not signed in. Login or sign up in order to post.
+1, very good content. However, note - a requested URL under HTTPS is, yes, encrypted. It is part of the request payload. The server name can be determined since an initial TCP connection (which is where SSL/TLS happens) is required for Handshake.
– OnoSendai
@Onosendai, you are right. I made an ugly mess with the URL reminding of a case I’ve seen where a proxy log could be used to steal the session, but it really wasn’t HTTPS.
– utluiz
In fact you are correct if the communication between the client and proxy occurs via HTTP and the proxy takes advantage of Nating to switch to HTTPS - the Proxy in this case would know which URL was used.
– OnoSendai
There are cases also that the management of the session takes place by an id inserted inside the HTML page itself.
– Inael Rodrigues
@Inaelrodrigues Well remembered. This is a technique widely used to maintain *one session per tab". However, the id is still sent via cookie, url parameter or as part of the body in each request. What changes is basically the scope of the session.
– utluiz