Cookie, Session and Token


Browsing is significant in everyday life and unavoidable. Do you know how your data is stored and how you are getting the responses based on your HTTP request through the web browser?

A session is created temporarily when the user wants to use a particular website. It refers to the user's visiting time and has other session-related details. The cookie and session are combined together to work for the user's better experience.

The web browser sends the session ID with the cookie to the server to check the user is valid when they try to access another related page and the session ID is unique and hard to guess. The session information will be stored in the server's database only when the cookie has the session ID details.
  • In the bank example, when the user logs in to their account, the session is created with ID and the session ends when the user logs out or is inactive for some time.
A token is totally a different concept in which the server creates a token ID when the user wishes to establish a connection with the server through the Internet.

For example, the user downloads a bank application to use his/her account. The token ID will be generated after entering user credentials and it is used for the future login without providing credentials again. Some of the commonly used tokens are OAuth, OpenID, and JWT tokens.

A term called 'Cookie' stores your data in the webserver to provide a better user experience.

The term Cookie was coined by Lou Montulli. A cookie contains a unique identifier for each session called Session ID. It carries the Session ID with other key-value pairs and other relevant information.

When we take bank login as an example, 
  • The user tries to log in with his/her credentials.
  • After providing the credentials and entering into the user homepage, a unique identifier will be generated by the web server, and it is stored temporarily or permanently based on the session availability.
  • The cookie will be deleted permanently when the session is closed by closing the browser or the user inactivates for a few minutes.
Cookie has privacy concerns based on user preferences. Ultimately, the cookie helps us to give better performance and usability while using the website.
set-cookie is the HTTP header for every HTTP request and the server returns the cookie with the HTTP response when it is used for future purposes. The cookie will be available until the session is active. 

On the whole, 
  • You can view all the information with the Session ID,  but with the token ID, you can view certain information. The token is helpful when the third party enters between the client and the server. All the user information is cryptographically signed and it is a temporary password.
  • Session and Cookie are between a client and a server. Token involves typically multiple parties and may not trust each other. 
  • Session and Cookie do not follow any standard rather Token follows a standard to ensure interoperability.
  • A cookie is mentioned in the 'Cookie' HTTP header and the token is in the 'Authorization' HTTP header.
Session-based and token-based authentication can be used in parallel. It can be seen in the bank example. The session-based approach will be used in the web browser when the user accesses his/her bank account and the token-based approach will be used when the user tries to access bank details through the mobile application.



Comments

Post a Comment

Popular posts from this blog

How to Install Jenkins

Image
Jenkins is an open-source Java application server for Continuous Integration and Continuous Delivery (CI/CD). This will run in servlet containers such as Apache Tomcat. It helps the developers to build, test, and deploy the software by automating using CI/CD pipelines. It detects bugs and notifies the developers in an early stage. How to Download and Install: Step 1: Go to https://www.jenkins.io/ . Click Download Step 2: Download Jenkins ‘Generic Java package’. I prefer to download the LTS package (It is a stable one). Step 3: Select your desired path after downloading and save the Jenkins.war file in your local system. Step 4: Go to command prompt (Windows) | Terminal (IOS)                Go to the folder where the war file is saved. Then, type the command java -jar Jenkins.war and run it. It will take a while to run the command. It gives an admin password. Note it down to use Jenkins the first time. The password will be saved in the Jenkin path. Step 5: Go to the browse
Read more

HTTP Payloads

Image
 What happens when I send a letter without information to the receiver that I require some details from them? What happens when the receiver writes a response to my letter without having the information I need? This information is similar to the body generally called a payload in HTTP request and response.  Let us see the payload in the HTTP request and HTTP response individually. I have added the below image to explain the HTTP request and response body/payload in JSON. I have used BurpSuite to take this image and Swagger Petstore (petstore.swagger.io) for this example. HTTP Request Payload Generally, the payload is not required for all the requests and responses. GET and HEAD methods usually do not require a body while sending a request to the server. The above example is a POST request to create a resource name 'doggie'. To achieve this, I should send some information about the resource which is called HTTP request payload. Breakdown of request payload: Content-Type:  Specif
Read more

Variables in Postman

What is a variable? This is the basic question to learn when you start programming. I am not going to dive deep into the programming concepts. Let me explain the variables used in Postman. What is a Variable in Postman? A data unit, that stores a value and it is dynamic based on the data type we use.  Should be written as Key: Value pair (Example: name= "Test"; num=1;) Provides the facility to access the value without manual effort every time. There are 5 different scopes of variables used in Postman. Global Variables Environment Variables Collection Variables Data Variables Local Variables These variable scopes are specially designed to refer to values in the Postman tool. Global Variable:          When the variable is assigned globally, it has all the privileges of accessing anywhere in the workspace such as the Environment, Collection. Environment Variable:          It is limited within the specific environment where you can access data between collections. Collection Vari
Read more