This might happen if you get really sloppy / careless and accidentally release your private key on the internet. It's the same with sessions: if I can reproduce or recreate your session, then I can impersonate you. Think of any web-based service: facebook, gmail: if I have your password, then I get access to your account. If I wanna be sneaky, I could edit my ID card: name: Ben Koshyīank balance: $1 billion bucks. But this can be dangerous: name: Ben Koshy The bank can write information onto your card - and so can you. You wouldn't want anyone to be able to easily tamper with people's passcodes, or to be able to easily reproduce it - see below for examples: Security Concerns with Cookies The passcode is stored in the cookie but it that does not make it a cookie. Sessions: Think of it like a temporary passcode. You can store anything on that card, like: Difference between Sessions and CookiesĬookie: You can think of a cookie as simply plastic card upon which information is printed on. You need to identify yourself every time you deal with the teller. It allows one to be uniquely identified in a sea of millions of people. So I decide to go to and chill out for 20 minutes and then later I go to the teller and say "I'd like to collect my withdrawal"Īnd then I tell them my passcode: GNASHEU329 "When ever you are talking to me," says the teller, "you should first identify yourself as GNASHEU329 - that way I know it's you". When you first appear to the teller, he or she tells you something in secret: What if your teller gives your $10,000 withdrawal to someone else - the wrong person?! It's absolutely vital that the teller can recognise you as the one who made the withdrawal, so that you can get the money (or resource) that you asked for. The teller can't see or readily recognise you, remember, because the lights are all out. you collect your money from the teller.īut how will the teller tell you apart from everyone else?.you have to wait briefly on the sofa, and 20 minutes later.you talk to your teller and make a request to withdraw money, and then.This bank is a funny type of bank - for the sake of argument here's how things work: But it's dark the bank is pitch black: there's no light. Imagine you are in a bank, trying to get some money out of your account. Let's elaborate step-by-step: Simple Explanation by analogy Now they can match up who you are with the records stored on file. Everytime you go to a library, then you you show them your ID card which was issued by that particular library. You can think of a session kinda like a library ID card. Then for every HTTP request you get from the client, the session id (given by the client) will point you to the correct session data (stored by the server) that contains the authenticated user id - that way your code will know what user it is talking to. In your specific example, the user id (could be username or another unique ID in your user database) is stored in the session data, server-side, after successful identification. Of course there are other aspects to consider, like you don't want people to hijack other's sessions, you want sessions to not last forever but to expire, and so on. Or you can use the client as a convenient remote storage, but you would encrypt the data and keep the secret server-side. The solution is to store that data server side, give it an "id", and let the client only know (and pass back at every http request) that id. However they are not good in case you don't want that data to be readable/editable on client side. like ) are both suitable ways to transport data between 2 or more request. ![]() Need help.īecause HTTP is stateless, in order to associate a request to any other request, you need a way to store user data between HTTP requests.Ĭookies or URL parameters ( for ex. Now the server also stores this session ID in its file system or datastore.īut based on just the session ID, how would it be able to know my username during my subsequent traversal through the site? Does it store the data on the server as a dict where the key would be a session ID and details like username, email etc. However during the entire process the server also generates a session ID which will be stored in a cookie on my browser. ![]() In such a case the data will be posted to the server which is supposed to check and log me in if authenticated. But I have a little confusion regarding sessions, in a session too we store data in a cookie on the user's browser.įor example - I login using username='rasmus' and password='default'. I understand cookies in that they store some info in a key value pair on the browser. I am coming across the terms 'cookies' and 'sessions'. I am just beginning to start learning web application development, using python.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |