Importance of Cookie
Hi, Today I'm going to explain you the importance of cookie in web communication. Let us begin with understanding what exactly a cookie is;
Since HTTP is a stateless protocol,Every request sent by the user to server would be treated as the first request itself,server does not know about the previous request sent by the user. The request surpasses the conventional communication flow such as Three way handshake before TCP connection being established and encrypting the request if SSL is implemented etc. This goes well with the static web pages which didn't have authentication or authorization, anyone could access the URL and view the web application but with the enhancements of web applications increasing day by day from conventional contact me pages to modern e-commerce sites, the authentication and authorization mechanisms became the need of the hour
Although authentication and authorization are used synchronously there is a slight difference between the two
Authentication: The process through which only a legitimate user can access the application, the authentication may include simple username passwords combination to complex bio-metric scans such as IRIS. So a user upon logging into an application through the login setup is called an authenticated user.
Authorization: The process through which the authenticated user gets access to the resources only accessible to his role. To explain in a better way let us consider the scenario of an banking web application.Before making any transaction the user should first login to the bank application after which he would become the authenticated user, once the user has logged in, he should have access to only the resources that are applicable for his role, such as making transactions with his bank account, viewing the statement etc but he should not be able to view/use other's account .Similarly the bank executive would have access to the statements of all the users under his branch but he cannot make any transactions with these accounts. This process of separating the same bank application between its users according to the roles defined is called authorization
Now, let us get back to our discussion so web applications need authentication and authorization as a must, but using stateless protocol such as HTTP would require the user to send his login details on each and every request sent to the server which would be cumbersome to the user and in highly attack prone since capturing any single request would give the attacker everything he require to access the user account.
So, how can this problem be eradicated?
Well,Every programming language/framework has the inbuilt session handling functions which aid in authenticating and authorizing users without sending login credentials in every request. When the user logs in to the application for the first time a session is generated which is identified by a session identifier, the client request would have this session identifier in every request and the server uses this identifier to validate whether the user is legitimate
So now the next big question : how is this session identifier stored and accessed??
Since HTTP is a stateless protocol,Every request sent by the user to server would be treated as the first request itself,server does not know about the previous request sent by the user. The request surpasses the conventional communication flow such as Three way handshake before TCP connection being established and encrypting the request if SSL is implemented etc. This goes well with the static web pages which didn't have authentication or authorization, anyone could access the URL and view the web application but with the enhancements of web applications increasing day by day from conventional contact me pages to modern e-commerce sites, the authentication and authorization mechanisms became the need of the hour
Although authentication and authorization are used synchronously there is a slight difference between the two
Authentication: The process through which only a legitimate user can access the application, the authentication may include simple username passwords combination to complex bio-metric scans such as IRIS. So a user upon logging into an application through the login setup is called an authenticated user.
Authorization: The process through which the authenticated user gets access to the resources only accessible to his role. To explain in a better way let us consider the scenario of an banking web application.Before making any transaction the user should first login to the bank application after which he would become the authenticated user, once the user has logged in, he should have access to only the resources that are applicable for his role, such as making transactions with his bank account, viewing the statement etc but he should not be able to view/use other's account .Similarly the bank executive would have access to the statements of all the users under his branch but he cannot make any transactions with these accounts. This process of separating the same bank application between its users according to the roles defined is called authorization
Now, let us get back to our discussion so web applications need authentication and authorization as a must, but using stateless protocol such as HTTP would require the user to send his login details on each and every request sent to the server which would be cumbersome to the user and in highly attack prone since capturing any single request would give the attacker everything he require to access the user account.
So, how can this problem be eradicated?
Well,Every programming language/framework has the inbuilt session handling functions which aid in authenticating and authorizing users without sending login credentials in every request. When the user logs in to the application for the first time a session is generated which is identified by a session identifier, the client request would have this session identifier in every request and the server uses this identifier to validate whether the user is legitimate
So now the next big question : how is this session identifier stored and accessed??
There are two ways to do it
Ø Sessions
Ø Cookies
Sessions: Sessions can be regarded as tokens that are stored at the server side of the application which would validate the user until the browser is closed which means the sessions identifiers validate the user request and once the user closes his browser the session would be terminated requiring a user to re-login to access the application
Cookies: Cookies can be regarded as tokens that are stored in the user's browser which are appended to every user request to the server which in turn validated to check if the user is authenticated and authorized to access the particular resource, the user can block delete add or modify the user cookies, and any change to the session identifier would log out the user and the user has to re-login to access the application
As cookies are stored into the user's browser they are more prone to attacks such as cross site scripting where the attacker accesses the user's cookie value and hijacks the user session with the session token in the cookie
Hope I have cleared your doubts if not please comment I shall address them ASAP
Comments
Post a Comment