Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How exactly sessions and cookies combination , identify the correct user when a request send to the server

Tags:

php

cookies

session

Hi I know that sessions are in the server side , when a user logged into a site we create a session and store user data in that session , and that session ID is a unique one . if multiple users logged in to the same server sessions with unique session Id’s are created .

cookie is a small file that the server embeds on the user's computer. Each time the same computer requests a page with a browser.

in the browser cookie I have seen variables called SID and SSID are those referring to servers session ID ???

or

from what parameters of the cookie , session identify this is the correct user.

**when I send a request to the server

are those id's in cookie matched with the server session id ?

my question is how the server knows this is the correct user ??

I have the idea of sessions and cookies , but there combination in not clear .

actually I have searched this for very long time , and i asked my friends and they also seems they don't have a clear picture of this

please explain the scenario , thanks in advance.

like image 741
Kanishka Panamaldeniya Avatar asked Feb 13 '23 16:02

Kanishka Panamaldeniya

1 Answers

That's the point, the server can't know this.

More in detail:

The server generates a unique id, then this is id is send to the client and the client stores this id in his cookies, for every request the client sends his id so the server knows which session he has to take for this user but the problem is, if someone else knows the id because he's listening the network traffic, he can use the session id and the server thinks, it's the same client as before and he'll take the same session as before. This is called Session hijacking

To prevent this, you have to store the ip address for each session key and check if they match but event then it's not 100% sure because if the client is in a NAT secured network and the attacker is in the same network too, they'll have the same IP address for the server and the server can't distinguish the attacker and the client.

Follow this tutorial to make your sessions safer.

like image 83
ReeCube Avatar answered Feb 17 '23 06:02

ReeCube
Sign in to Comment

Related questions

Downloading a file and saving it locally with PHP
MySQL Declaration PHPMyADMIN
Get 3 next working dates, skip weekends and holidays
URL Rewrite - $_GET variable not passing through
Adding an offset to a category loop in WordPress
PHP commands the same when adding to an array?
PHP Interpreter is not Installed (Linux)
xampp apache web server not starting, exit code 8
How to get package name in script?
Display months with two-digits and with month names in PHP
what to do on PHP PDO execute() returns false?
PHPMailer: Using remote SMTP server, works under localhost, Connection refused (111) on remote server
nested where clause in zend framework 2.2
In MySQLi prepared statements what does STMT stand for?
PHP Getters/Setters to Use or Not to Use
Create a new email account from php script on dovecot/postfix
Adding routes to laravel via plugins
Laravel: How get the value of a select (Drop-Down Lists) to bind with the model?
CURL + POST + multipart/form-data
Is there a way of detecting overflow in mysql?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!