Do websites like Facebook store logged in users in cookies or sessions?

Question

Do websites like Facebook store logged in users in cookies (client side) or sessions (server side)? My tests indicate that they do the first.

Answer 1

They use server-side sessions in conjunction with a cookie.

The cookie holds an ID, this ID is sent to FaceBook and the server checks the details for the session with that ID.

Answer 2

Generally, sensitive information like which user is currently logged in must be stored on server side - remember, cookies can be freely read and altered by the user.

What you are probably seeing is the session cookie that ties a specific client to a specific session on the server - that is so the server knows which session to use for you. In this case, the only thing the cookie contains is a long, random session ID - it's long and random so it can't be easily guessed by an attacker.

The act of stealing another user's session cookie is called session hijacking.

Additional info:

• Cookie VS Session
• Session chapter in the PHP manual

Answer 3

I think the idea behind $_sessions is it's much faster and efficient for the server to process its own information, rather than receive bulk information from the client.

Look at it this way:

You (the server) and a friend (the client) are gossiping about your other friend Cindy, does you friend give you every detail of information about her (hair color, height, etc...)? No, that would be a waste of time. It's much faster for you to process the information you already know about Cindy (on the $_session file, server-side) and only receive unique information ($_cookies) from your friend (the client).

Efficient: "Hey, did you hear what Cindy did last night?"

NOT efficient: "Hey did you hear what Cindy with brown hair, blue eye, medium build, etc... did last night?"

Obviously, this doesn't fully summarize $_sessions and $_cookies, but maybe it will help someone understand efficient short-term data management.