What Are Website Cookies?
A cookie is a name + a (short) value, such as "mysite = 3927y394AIcy" or "google = dbkfvhdbfkvhsudbcksjuc". Cookies are often used as index keys for data stored in a website database, such as the account details you are logged in as. The name is usually fixed for a particular {website & purpose} and the value is often a very large random string (as much as 60 letters), to make it very unlikely to guess a correct one. The site uses the number via an index table to get at the useful data. To be clear then, the cookie value not only looks meaningless, it is meaningless. Only the webserver that sent it knows how to interpret it, and then only because it took note of the value before sending it.
Cookies normally (but not always) provide the bridge between requests, initially as a 'session key' or 'session cookie'. The web software provides a new session key to each new HTTP request that doesn't present a previously-provided session key when it requests a page. The server expects the client to include the same session cookie with the next page request, so that it can link the otherwise-stateless HTTP requests together. If the client doesn't do that, the server will end up generating lots of new sessions which are essentially useless but will self-expire on the server after a while.
When the client does reflect the session cookie back to the server it becomes possible to do stateful things such as have a user login to a site and see a tailored view of it.
Depending on the software used, the server might set other cookies to indicate logged in state, and there can be yet others for various advertising platforms, non-account based preferences, and things like performance monitoring software. On a Joomla site, a session cookie looks like this:
set-cookie: ab0a2f2ad66779676e76a66cd676ffde=cd3ec6e8ab30b09f9f69a6617a265188; path=/; secure; HttpOnly
[Note the '=' in the middle - the cookie name is itself a long random string in this case.]
So, to bring it together:
Most web server software groups http requests, for even anonymous browsing, using session cookies, with the cooperation of the client browser software. For anonymous users (ie no login has happened) this enables the sites to group browsing behaviour by origin, thus making it possible to say there are N "guests" even though little info is available as to who the guests are.
Once a session has logged in, the server's session key database is changed and so the same session cookie enables the software to associate the session with a user account. It is this that grants the benefits of being logged in with a particular role on the site.
- 70 views
 
         
Add new comment