Sessions and Cookies

HTTP is stateless - this means that each http request to the server is 'new' - the server does know if it is servicing a particular client's first request or its tenth request. Web Programming tools on the server offer ways of keeping track of 'session' related information. Sometimes, a user's session is defined as the time a user shows activity (through mouse clicks or keyboard entry) on a particular domain or web site. A user may visit an online mall at www.mymall.com and spend some time looking at its catalogues. This user's session may be active as long he has at least one browser window open. Alternatively, a web based e-mail user's session may be active from the time she logs into her e-mail until the time she logs out. The definition of a session is arbitrarily fixed by each domain. If the site makes filling out forms or logging in mandatory, every user who is logged in or whose form is being processed is assigned a unique session ID on the server. The session remains active as long as the person is logged in or is still transacting.

When log in or filling forms is not mandatory, cookies are used to keep track of sessions. Programmatically, every http request for the domain is kept track of and assigned a sort of ID that is stored in a specific location with a specific name on the user's computer. This little packet that the server leaves on the client is called a cookie. Basically, every time a HTTP request is received, the server checks if its cookie (that is, a file with the same name as the one it stores on user's computers) is present on the client making the request. Based on its presence and value, the server keeps track of user and session information. There are two types of cookies. What we just talked about is a session cookie. A session cookie is stored in a folder that gets emptied every time the user closes all his browser windows and is therefore deleted at the end of every session.

A persistent cookie is saved onto the user's hard drive and remains there until its expiry date (the cookie contains this) or until the user deletes this cookie. Persistent cookies may store information such as the user's customization of the site, search preferences, encrypted passwords and so on. Once again, the server checks for the cookie and sets the user's page according to her customization or logs her in automatically if a cookie with her password is found. Cookies may be accessed only by the computer's user or the domain that created it. That is, if www.somesite.com wrote a cookie to your computer, only this site may access the cookie it wrote. Cookies are simply text files and may be up to 4kb in size. This size is equivalent to a few thousand characters; cookies may store a lot of information. Some sites use them to store data about the user such as name, age, and gender so that the parts of the user's forms may be auto-filled. This may represent a security risk if the computer is used by more than one person. However, only the domain that originally stored a cookie may access it. Also, passwords in cookies are stored in an encrypted fashion - Only the domain that stored the cookie knows how to read such encrypted passwords. For example, the google web site stores the search history and preferences of users in a cookie on the user's machine. Try going to google.com and performing a couple of searches. Next, search for files whose name contain the word 'cookie' on the drive where your 'Documents and Settings' folder is located. You will find a folder named 'cookies' that will contain google's cookie. The cookie folder and the cookie itself will look like the following. Note that the cookie content is encrypted; it only makes sense to google.

ScreenShot 2e: Cookies on a hard drive

This chapter lays the foundation for programming for the World Wide Web by describing fundamental concepts. Web developers deal with http user sessions and the data they get from these sessions extensively; almost all WWW programming involves the use of HTTP, CGI, session, and cookie concepts in some form or the other. However, before learning to use these concepts, we should know how to write content for web pages, how to design forms, and how to get the user to enter valid information into the form. We will address these issues in the new few chapters.