Cookies and sessions

5,751 views
5,486 views

Published on

Cookies
- Brief overview
- Limitation
- Privacy
- Type of cookies
- Manage cookies
Sessions
- Brief overview
- HTTP Session Token
- Session Advantages

Published in: Technology, Self Improvement
0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,751
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
342
Comments
0
Likes
8
Embeds 0
No embeds

No notes for slide
  • This function expects the cookie data to be passed to it as arguments; it then builds the appropriate cookie string and sets the cookie.
  • The function uses a regular expression to find the cookie name and value we're interested in, then returns the value portion of the match, passing it through the unescape() function to convert any escaped characters back to normal. (If it doesn't find the cookie, it returns a null value.)
  • Cookies and sessions

    1. 1. Cookies and Sessions Lena Petsenchuk 12.09.2011
    2. 2. Agenda <ul><li>Cookies </li></ul><ul><ul><li>Brief overview </li></ul></ul><ul><ul><li>Limitation </li></ul></ul><ul><ul><li>Privacy </li></ul></ul><ul><ul><li>Type of cookies </li></ul></ul><ul><ul><li>Manage cookies </li></ul></ul><ul><li>Sessions </li></ul><ul><ul><li>Brief overview </li></ul></ul><ul><ul><li>HTTP Session Token </li></ul></ul><ul><ul><li>Session Advantages </li></ul></ul>
    3. 3. Cookies <ul><li>A cookie is a small text file that contains a small amount of information about a user visiting your site and is stored on the site visitor's computer by their browser. </li></ul><ul><li>Because the cookie is stored on the user’s computer, it does not require any server space no matter how many users you have. </li></ul><ul><li>You can use cookies to save user preferences, customize data, remember the last visit, or to keep track of items in an order while a user browses. </li></ul>
    4. 4. Limitation <ul><li>The cookie specification introduced by Netscape also places limits on cookies. These limits are: </li></ul><ul><ul><li>310 total cookies. </li></ul></ul><ul><ul><li>4 kilobytes per cookie </li></ul></ul><ul><ul><li>20 cookies per server or domain. </li></ul></ul>
    5. 5. Privacy <ul><li>Cookies can only be read by the site that created them, or a site 'underneath' the site that created them. This prevents other websites from stealing cookies. </li></ul>
    6. 6. Types of cookies <ul><li>There are three different types of cookies. </li></ul><ul><ul><li>First Party Cookies are written by your site and can only be read by your site. </li></ul></ul><ul><ul><li>Third Party Cookies are created by advertising in your page that is loaded from a third party site. These can only be read by the advertising code on any site displaying the same ads. </li></ul></ul><ul><ul><li>Session Cookies are not actually written to a file but are stored in the browser itself. These cookies only last as long as the browser is open. </li></ul></ul>
    7. 7. The document.cookie property <ul><li>Cookies in JavaScript are accessed using the cookie property of the document object . In simple terms, we create a cookie like this: </li></ul><ul><li>document.cookie = &quot; name = value ; expires= date ; path= path ; domain= domain ; secure&quot;; </li></ul><ul><li>and retrieve all our previously set cookies like this: </li></ul><ul><li>var x = document.cookie; </li></ul><ul><li>To set a cookie, we set the document.cookie property to a string containing the properties of the cookie that we want to create: </li></ul><ul><li>document.cookie = &quot; name = value ; expires= date ; path= path ; domain= domain ; secure&quot;; </li></ul>
    8. 8. Setting a cookie Property Description Example name = value This sets both the cookie's name and its value. username=matt expires= date This optional value sets the date that the cookie will expire on. The date should be in the format returned by the toGMTString() or toUTCString() methods of the Date object. If the expires value is not given, the cookie will be destroyed the moment the browser is closed. expires= 13/06/2003  00:00:00 path= path The path gives you the chance to specify a directory where the cookie is active. So if you want the cookie to be only sent to pages in the directory cgi-bin, set the path to /cgi-bin. Usually the path is set to /, which means the cookie is valid throughout the entire domain. path=/tutorials/
    9. 9. Setting a cookie Property Description Example domain= domain This optional value specifies a domain within which the cookie applies. Only websites in this domain will be able to retrieve the cookie. Usually this is left blank, meaning that only the domain that set the cookie can retrieve it. Please note that the purpose of the domain is to allow cookies to cross sub-domains. Domain=elated.com if we set domain = www.elated.com cookie will not be read by search.elated.com We cannot set the cookie domain to a domain we’re not in, we cannot make the domain www.microsoft.com . Only elated.com is allowed, in this case.
    10. 10. Setting a cookie Property Description Example secure This optional flag indicates that the browser should use SSL when sending the cookie to the server. This flag is rarely used. secure
    11. 11. A few examples of cookie setting <ul><li>document.cookie = &quot;username=John;expires=15/02/2003 00:00:00&quot;; </li></ul><ul><li>This code sets a cookie called username, with a value of &quot;John&quot;, that expires on Feb 15th, 2003 </li></ul><ul><li>(note the European time format!). </li></ul><ul><li>var cookie_date = new Date(2003, 01, 15); document.cookie = &quot;username=John; expires=&quot; + cookie_date.toUTCString(); </li></ul><ul><li>This code does exactly the same thing as the previous example, but specifies the date using the Date.toUTCString() method instead. Note that months in the Date object start from zero, so February is 01. </li></ul>
    12. 12. A few examples of cookie setting <ul><li>document.cookie = &quot;logged_in=yes&quot;; </li></ul><ul><li>This code sets a cookie called logged_in, with a value of &quot;yes&quot;. As the expires attribute has not been set, the cookie will expire when the browser is closed down. </li></ul><ul><li>var cookie_date = new Date(); //current date & time </li></ul><ul><li>cookie_date.setTime(cookie_date.getTime() - 1); document.cookie = &quot;logged_in=; expires=&quot; + cookie_date.toUTCString(); </li></ul><ul><li>This code sets the logged_in cookie to have an expiry date one second before the current time - this instantly expires the cookie. A handy way to delete cookies! </li></ul>1
    13. 13. A few examples of cookie setting <ul><li>Strictly speaking, we should be escaping our cookie values - encoding non-alphanumeric characters such as spaces and semicolons. This is to ensure that our browser can interpret the values properly. Fortunately this is easy to do with JavaScript's escape() function. </li></ul><ul><li>For example: </li></ul><ul><li>document.cookie = &quot;username=&quot; + escape(&quot;John Smith&quot;) + &quot;; expires=15/02/2003 00:00:00&quot;; </li></ul>
    14. 14. A function to set a cookie <ul><li>Setting cookies will be a lot easier if we can write a simple function to do stuff like escape the cookie values and build the document.cookie string. </li></ul><ul><li>function set_cookie(name, value, exp_y, exp_m, exp_d, path, domain, secure) { </li></ul><ul><ul><li>var cookie_string = name + &quot;=&quot; + escape(value); </li></ul></ul><ul><ul><li>if (exp_y) { </li></ul></ul><ul><ul><li>var expires = new Date(exp_y, exp_m, exp_d); </li></ul></ul><ul><ul><li>cookie_string += &quot;; expires=&quot; + expires.toGMTString(); </li></ul></ul><ul><ul><li>} </li></ul></ul><ul><ul><li>if (path) cookie_string += &quot;; path=&quot; + escape(path); </li></ul></ul><ul><ul><li>if (domain) cookie_string += &quot;; domain=&quot; + escape(domain); </li></ul></ul><ul><ul><li>if (secure) cookie_string += &quot;; secure&quot;; </li></ul></ul><ul><ul><li>document.cookie = cookie_string; </li></ul></ul><ul><li>} </li></ul>
    15. 15. A function to set a cookie <ul><li>For example, to use this function to set a cookie with no expiry date: </li></ul><ul><li>set_cookie(&quot;username&quot;, &quot;John Smith”); </li></ul><ul><li>To set a cookie with an expiry date of 15 Feb 2003: </li></ul><ul><li>set_cookie(&quot;username&quot;, &quot;John Smith&quot;, 2003, 01, 15); </li></ul><ul><li>To set a secure cookie with an expiry date and a domain of elated.com, but no path: </li></ul><ul><li>set_cookie(&quot;username&quot;, &quot;John Smith&quot;, 2003, 01, 15, &quot;&quot;, &quot;elated.com&quot;, &quot;secure”); </li></ul>
    16. 16. A function to delete a cookie <ul><ul><ul><ul><li>Another useful cookie-handling function is provided below. This function will &quot;delete&quot; the supplied cookie from the browser by setting the cookie's expiry date to one second in the past </li></ul></ul></ul></ul><ul><ul><li>function delete_cookie(cookie_name){ </li></ul></ul><ul><ul><li>var cookie_date = new Date(); </li></ul></ul><ul><ul><li>cookie_date.setTime(cookie_date.getTime() - 1); document.cookie = cookie_name += &quot;=; expires=&quot; + cookie_date.toUTCString(); </li></ul></ul><ul><ul><li>} </li></ul></ul>
    17. 17. A function to delete a cookie <ul><li>To use this function, just pass in the name of the cookie you would like to delete - for example: </li></ul><ul><li>delete_cookie(&quot;username”); </li></ul>
    18. 18. Retrieving cookies <ul><li>To retrieve all previously set cookies for the current document, you again use the document.cookie property: </li></ul><ul><li>var x = document.cookie; </li></ul><ul><li>This returns a string comprising a list of name/value pairs, separated by semi-colons, for all the cookies that are valid for the current document. For example: </li></ul><ul><li>&quot;username=John; password=abc123&quot; </li></ul><ul><li>In this example, 2 cookies have been previously set: username, with a value of &quot;John&quot;, and password, with a value of &quot;abc123&quot;. </li></ul>
    19. 19. A function to retrieve a cookie <ul><ul><li>Usually we only want to read the value of one cookie at a time, so a string containing all our cookies is not that helpful. So here's another useful function that parses the document.cookies string, and returns just the cookie we're interested in: </li></ul></ul><ul><li>function get_cookie(cookie_name) { </li></ul><ul><li>var results = document.cookie.match('(^|;) ?' + cookie_name + '=([^;]*)(;|$)’); </li></ul><ul><li>if (results) return (unescape(results[2])); </li></ul><ul><li>else return null; </li></ul><ul><li>} </li></ul>
    20. 20. A function to retrieve a cookie <ul><li>Using the function is easy. For example, to retrieve the value of the username cookie: </li></ul><ul><li>var x = get_cookie (&quot;username&quot;); </li></ul>
    21. 21. Sessions <ul><li>Sessions are a combination of a server-side cookie and a client-side cookie. </li></ul><ul><li>Client-side cookie simply holds a value (session token) that uniquely identifies the client to the server, and corresponds to a data file on the server. </li></ul><ul><li>Thus, when the user visits the site, their browser sends the reference code to the server, which loads the corresponding data. </li></ul>
    22. 22. HTTP session token <ul><li>A session token is a unique identifier that is generated and sent from a server to a client to identify the current interaction session. </li></ul><ul><li>The client usually stores and sends the token as an HTTP cookie and/or sends it as a parameter in GET or POST queries. </li></ul>
    23. 23. HTTP session token <ul><li>The reason to use session tokens is that the client only has to handle the identifier—all session data is stored on the server (usually in a database, to which the client does not have direct access) linked to that identifier. </li></ul><ul><li>Examples of the names that some programming languages use when naming their HTTP cookie include </li></ul><ul><ul><li>JSESSIONID (JSP), </li></ul></ul><ul><ul><li>PHPSESSID (PHP), </li></ul></ul><ul><ul><li>ASPSESSIONID (ASP). </li></ul></ul>
    24. 24. Sessions advantages <ul><li>Your server-side cookie can contain very large amounts of data with no hassle - client-side cookies are limited in size </li></ul><ul><li>Your client-side cookie contains nothing other than a small reference code - as this cookie is passed each time someone visits a page on your site, you are saving a lot of bandwidth by not transferring large client-side cookies around </li></ul><ul><li>Session data is much more secure - only you are able to manipulate it, as opposed to client-side cookies which are editable by all </li></ul>
    25. 25. Summary <ul><li>It is also important to note that sessions only last till the user closes their browser, whereas cookies can be configured to last longer. </li></ul><ul><li>However, other than the above, there is not much difference between session data and cookie data for most purposes. </li></ul>
    26. 26. Useful link <ul><li>http://www.tutorialized.com/view/tutorial/JavaScript-and-Cookies/58852 </li></ul><ul><li>http://javascript.ru/document/cookie </li></ul><ul><li>http://www.blazonry.com/javascript/cookies.php </li></ul><ul><li>http://javascript.about.com/library/blcookieb.htm </li></ul><ul><li>http://www.quirksmode.org/js/cookies.html </li></ul><ul><li>http://www.articleonlinedirectory.com/Art/268587/389/the-drawbacks-of-cookies.html </li></ul><ul><li>http://tuxradar.com/practicalphp/10/0/0 </li></ul><ul><li>https://www.owasp.org/index.php/Session_hijacking_attack </li></ul>
    27. 27. Questions

    ×