SlideShare uma empresa Scribd logo

Cookies and session

Transferir como PPSX, PDF
Soham Sengupta
Soham Sengupta

Java code and idea and lessons on Cookies and Sessions, how they are tracked and why we need state for stateless HTTP.

Tecnologia
1 de 19
Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 1 13, 2014 http://www.flickr.com/photos/torkildr/3462607995/ Cookies and sessions
HTTP is “stateless” • By default, web servers are “forgetful” • As far as they can tell, every request comes from a totally new and different browser • (Not exactly true. We'll discuss persistent connections in the context of performance.) Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 2 13, 2014
Pros of stateless servers • Chief benefit: Potential for replication • Improved performance: A sysadmin can fire up N copies of a website (on N machines) and any machine can serve each request. • Improved reliability: If a machine crashes, then another can be started up in its place, and no data gets lost in the process. Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 3 13, 2014
Cons of stateless servers • Chief problem: Keeping track of which requests "go together" • Security challenge: If a user submits username & password in http request X, then tries to access resources in http request Y, how does the server know that request Y is from somebody who already logged in? • By the time that request Y comes in, the server will already have forgotten that request X ever occurred. • And on a replicated system, request Y might be served by a different machine than request X. Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 4 13, 2014
Cookies to the rescue! • Reminder: • Cookie = a piece of data that is automatically copied between the client and server • Cookies can be set by the client (as in the last unit) or by the server. Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 5 13, 2014
A simple way to use cookies for login… • When user sends a valid username & password in request X, the server replies with a cookie containing the username & password • When user subsequently makes request Y, the browser sends along the cookie. • Sounds appealing: user only needs to log in once • Serious security hole: anybody who gets his hands on the user's computer can see cookies Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 6 13, 2014
Using just cookies for login Monday, October Authenticate sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 7 13, 2014 Browser Server Type username & password Send username & password Cookie = usernm&pwd Click a link or whatever Request page (send cookie) Send back page Warning This design contains a serious security hole.
A more secure way of cookies+login • When user sends a valid username & password in request X, the server replies with a cookie containing a secret that the client couldn't possibly have guessed. • When user subsequently makes request Y, the browser sends along the cookie. • Since the client couldn't have guessed this value without logging in, the server knows that the user did in fact previously log in. Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 8 13, 2014
Using cookies for login Monday, October Authenticate sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 9 13, 2014 Browser Server Filesystem or Database Type username & password Send username & password Store a random number Cookie = the valid only for next 10 minutes random # Click a link or whatever Request page (send cookie) Check if the number is right; if so, give another 10 minutes Send back page
Session = state stored across requests • This is what we call a "session" • Session is basically an add-on to the basic http functionality of a website • So that the website can remember information across requests. • You can store lots of stuff in session • Numbers, strings, stringified objects, … Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 10 13, 2014
Pros of sessions • Stores information between requests • Much more secure than the simple cookie-based approach I showed you • A bad person would need to steal the random number (cookie) within 10 minutes of its creation Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 11 13, 2014
Cons of sessions • Requires your web server to have write-access to some sort of storage medium • File system, database, …, if you want replication • Otherwise just use memory (lost on server crash) • Requires user to access site every few minutes • Though you can configure longer or shorter times • This is a tradeoff between usability & security. • EECS servers currently are set to 24 minutes. Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 12 13, 2014
Simple example of using session <?php session_start(); if (isset($_SESSION['numhits'])) $_SESSION['numhits'] = $_SESSION['numhits']+ 1; else $_SESSION['numhits'] = 1; echo "You hit my server ".$_SESSION['numhits']." times."; ?> Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 13 13, 2014
Authentication (Using hardcoded username&pwd for now) <?php session_start(); /* login.php */ if (array_key_exists("username", $_REQUEST) && array_key_exists("password", $_REQUEST)) { /* here is where we would check the username and password */ $_SESSION['uid'] = 1; echo '<a href="inventory.php">View Inventory</a>'; } else { ?> <form action="login.php" method="POST"> <div>Username: <input type="text" name="username"></div> <div>Password: <input type="password" name="password"></div> <div><input type="submit" value="OK"></div> </form> <?php } ?> <?php session_start(); /* inventory.php */ if (isset($_SESSION['uid'])) echo "This is where we would show inventory."; else Monday, October echo "You need to <a href='login.php'>Log in</a>"; ?> sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 14 13, 2014
You can set cookies without session <?php $nhits = isset($_COOKIE['numhits']) ? $_COOKIE['numhits'] : 0; $nhits = $nhits + 1; setcookie('numhits', $nhits, time()+86400*365); /* expires in 365 days */ echo "You hit my server ".$nhits." times."; ?> Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 15 13, 2014
Summarizing cookies vs sessions • Cookies • Little bits of data that are stored on client but also copied automatically to the server • Useful for storing little bits of data on the client, but they are visible to everybody • So don't store sensitive data in cookies • Sessions • Data is stored on the server (e.g., filesystem), keyed by a random number • The random number is sent as a cookie to the browser • And the random number expires after a little while Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 16 13, 2014
When to use cookies vs sessions • Use cookies when • You need to save a small amount of data between requests, and it doesn't need to be kept secret • Use sessions when • You need to save a larger amount of data between requests, or when the data needs to be secret Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 17 13, 2014
Examples of information not to store in unencrypted cookies • Passwords • Credit card numbers • Social security numbers • Student ID numbers • Birthdates • List of diseases the user has contracted • Anything that must be kept secret Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 18 13, 2014
Yet another caveat • After all of those warnings, you still can save secret data in cookies, IF IT IS ENCRYPTED • You will see how to do this later in the term • But we don't really use encrypted cookies much because it can cause usability problems. Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 19 13, 2014

Recomendados

java Cookies
java Cookiesjava Cookies
java CookiesRajanivetha G
 
Mischief Managed - Protecting your Serverless Functions (Memphis Web Workers)
Mischief Managed - Protecting your Serverless Functions (Memphis Web Workers)Mischief Managed - Protecting your Serverless Functions (Memphis Web Workers)
Mischief Managed - Protecting your Serverless Functions (Memphis Web Workers)James Quick
 
Powerpoint. 2
Powerpoint. 2Powerpoint. 2
Powerpoint. 2alicej0hnson
 
Jdbc session01
Jdbc session01Jdbc session01
Jdbc session01Niit Care
 
Survival of the Continuist
Survival of the ContinuistSurvival of the Continuist
Survival of the ContinuistPaul Blundell
 
PHP presentation
PHP presentationPHP presentation
PHP presentationHelen Pitlick
 
Exposicion GWT
Exposicion GWTExposicion GWT
Exposicion GWTJose Luis Dorao
 
Jsp applet
Jsp appletJsp applet
Jsp appletSanoj Kumar
 

Recomendados

java Cookies
java Cookiesjava Cookies
java CookiesRajanivetha G
 
Mischief Managed - Protecting your Serverless Functions (Memphis Web Workers)
Mischief Managed - Protecting your Serverless Functions (Memphis Web Workers)Mischief Managed - Protecting your Serverless Functions (Memphis Web Workers)
Mischief Managed - Protecting your Serverless Functions (Memphis Web Workers)James Quick
 
Powerpoint. 2
Powerpoint. 2Powerpoint. 2
Powerpoint. 2alicej0hnson
 
Jdbc session01
Jdbc session01Jdbc session01
Jdbc session01Niit Care
 
Survival of the Continuist
Survival of the ContinuistSurvival of the Continuist
Survival of the ContinuistPaul Blundell
 
PHP presentation
PHP presentationPHP presentation
PHP presentationHelen Pitlick
 
Exposicion GWT
Exposicion GWTExposicion GWT
Exposicion GWTJose Luis Dorao
 
Jsp applet
Jsp appletJsp applet
Jsp appletSanoj Kumar
 
Google Developers Overview Deck 2015
Google Developers Overview Deck 2015Google Developers Overview Deck 2015
Google Developers Overview Deck 2015Houssem Eddine LASSOUED
 
JAVA 2013 IEEE DATAMINING PROJECT A fast clustering based feature subset sele...
JAVA 2013 IEEE DATAMINING PROJECT A fast clustering based feature subset sele...JAVA 2013 IEEE DATAMINING PROJECT A fast clustering based feature subset sele...
JAVA 2013 IEEE DATAMINING PROJECT A fast clustering based feature subset sele...IEEEGLOBALSOFTTECHNOLOGIES
 
AWT
AWT AWT
AWT ravi9kumar
 
Bridgepoint Midwest M&A Quarterly Update Q2-12
Bridgepoint Midwest M&A Quarterly Update Q2-12Bridgepoint Midwest M&A Quarterly Update Q2-12
Bridgepoint Midwest M&A Quarterly Update Q2-12Adam Claypool
 
Wankumatoyama#01
Wankumatoyama#01Wankumatoyama#01
Wankumatoyama#01Masaaki Yonebayashi
 
PHP Presentation
PHP PresentationPHP Presentation
PHP PresentationAmanda Nardi
 
Ehcache Writer API
Ehcache Writer APIEhcache Writer API
Ehcache Writer APITerracotta, a product line at Software AG
 
Agile terminologies quick_reference
Agile terminologies quick_referenceAgile terminologies quick_reference
Agile terminologies quick_referenceSatyaSuman Lakkimsetty
 
Uso de Critérios de Seleção para Frameworks Livres em Plataforma Java EE
Uso de Critérios de Seleção para Frameworks Livres em Plataforma Java EEUso de Critérios de Seleção para Frameworks Livres em Plataforma Java EE
Uso de Critérios de Seleção para Frameworks Livres em Plataforma Java EEMarco Antonio Maciel
 
x ad05-hk
x ad05-hk x ad05-hk
x ad05-hk36Kr.com
 
CAN A FOREST BE CREATED WITH RECYCLING
CAN A FOREST BE CREATED WITH RECYCLINGCAN A FOREST BE CREATED WITH RECYCLING
CAN A FOREST BE CREATED WITH RECYCLINGUmut Dilsiz
 
Tugas Aksi Sosial - Fisip Unmer Malang
Tugas Aksi Sosial - Fisip Unmer MalangTugas Aksi Sosial - Fisip Unmer Malang
Tugas Aksi Sosial - Fisip Unmer MalangAulia Hamunta
 
Een goed ingerichte web-GIS-architectuur levert winst op! Oranjewoud, Esri Ne...
Een goed ingerichte web-GIS-architectuur levert winst op! Oranjewoud, Esri Ne...Een goed ingerichte web-GIS-architectuur levert winst op! Oranjewoud, Esri Ne...
Een goed ingerichte web-GIS-architectuur levert winst op! Oranjewoud, Esri Ne...EsriGISConferentie
 
Clearing the-hurdles
Clearing the-hurdlesClearing the-hurdles
Clearing the-hurdlesMid-West CAD
 
Contact Centre Technology Project
Contact Centre Technology ProjectContact Centre Technology Project
Contact Centre Technology ProjectVicRoads
 
Sessions&cookies
Sessions&cookiesSessions&cookies
Sessions&cookiesTirthika Bandi
 
Firefox instructions for PC
Firefox instructions for PCFirefox instructions for PC
Firefox instructions for PCoiisdp2010
 
Safari instructions
Safari instructionsSafari instructions
Safari instructionsoiisdp2010
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force AttackAhmad karawash
 
XMPP Academy #3
XMPP Academy #3XMPP Academy #3
XMPP Academy #3Mickaël Rémond
 
Building Real Time Web Applications with SignalR (NoVA Code Camp 2015)
Building Real Time Web Applications with SignalR (NoVA Code Camp 2015)Building Real Time Web Applications with SignalR (NoVA Code Camp 2015)
Building Real Time Web Applications with SignalR (NoVA Code Camp 2015)Kevin Griffin
 
Enterprise java unit-2_chapter-2
Enterprise java unit-2_chapter-2Enterprise java unit-2_chapter-2
Enterprise java unit-2_chapter-2sandeep54552
 

Mais conteúdo relacionado

Destaque

JAVA 2013 IEEE DATAMINING PROJECT A fast clustering based feature subset sele...
JAVA 2013 IEEE DATAMINING PROJECT A fast clustering based feature subset sele...JAVA 2013 IEEE DATAMINING PROJECT A fast clustering based feature subset sele...
JAVA 2013 IEEE DATAMINING PROJECT A fast clustering based feature subset sele...IEEEGLOBALSOFTTECHNOLOGIES
 
Bridgepoint Midwest M&A Quarterly Update Q2-12
Bridgepoint Midwest M&A Quarterly Update Q2-12Bridgepoint Midwest M&A Quarterly Update Q2-12
Bridgepoint Midwest M&A Quarterly Update Q2-12Adam Claypool
 
Uso de Critérios de Seleção para Frameworks Livres em Plataforma Java EE
Uso de Critérios de Seleção para Frameworks Livres em Plataforma Java EEUso de Critérios de Seleção para Frameworks Livres em Plataforma Java EE
Uso de Critérios de Seleção para Frameworks Livres em Plataforma Java EEMarco Antonio Maciel
 
x ad05-hk
x ad05-hk x ad05-hk
x ad05-hk36Kr.com
 
CAN A FOREST BE CREATED WITH RECYCLING
CAN A FOREST BE CREATED WITH RECYCLINGCAN A FOREST BE CREATED WITH RECYCLING
CAN A FOREST BE CREATED WITH RECYCLINGUmut Dilsiz
 
Tugas Aksi Sosial - Fisip Unmer Malang
Tugas Aksi Sosial - Fisip Unmer MalangTugas Aksi Sosial - Fisip Unmer Malang
Tugas Aksi Sosial - Fisip Unmer MalangAulia Hamunta
 
Een goed ingerichte web-GIS-architectuur levert winst op! Oranjewoud, Esri Ne...
Een goed ingerichte web-GIS-architectuur levert winst op! Oranjewoud, Esri Ne...Een goed ingerichte web-GIS-architectuur levert winst op! Oranjewoud, Esri Ne...
Een goed ingerichte web-GIS-architectuur levert winst op! Oranjewoud, Esri Ne...EsriGISConferentie
 
Clearing the-hurdles
Clearing the-hurdlesClearing the-hurdles
Clearing the-hurdlesMid-West CAD
 
Contact Centre Technology Project
Contact Centre Technology ProjectContact Centre Technology Project
Contact Centre Technology ProjectVicRoads
 

Destaque (15)

Google Developers Overview Deck 2015
Google Developers Overview Deck 2015Google Developers Overview Deck 2015
Google Developers Overview Deck 2015
 
JAVA 2013 IEEE DATAMINING PROJECT A fast clustering based feature subset sele...
JAVA 2013 IEEE DATAMINING PROJECT A fast clustering based feature subset sele...JAVA 2013 IEEE DATAMINING PROJECT A fast clustering based feature subset sele...
JAVA 2013 IEEE DATAMINING PROJECT A fast clustering based feature subset sele...
 
AWT
AWT AWT
AWT
 
Bridgepoint Midwest M&A Quarterly Update Q2-12
Bridgepoint Midwest M&A Quarterly Update Q2-12Bridgepoint Midwest M&A Quarterly Update Q2-12
Bridgepoint Midwest M&A Quarterly Update Q2-12
 
Wankumatoyama#01
Wankumatoyama#01Wankumatoyama#01
Wankumatoyama#01
 
PHP Presentation
PHP PresentationPHP Presentation
PHP Presentation
 
Ehcache Writer API
Ehcache Writer APIEhcache Writer API
Ehcache Writer API
 
Agile terminologies quick_reference
Agile terminologies quick_referenceAgile terminologies quick_reference
Agile terminologies quick_reference
 
Uso de Critérios de Seleção para Frameworks Livres em Plataforma Java EE
Uso de Critérios de Seleção para Frameworks Livres em Plataforma Java EEUso de Critérios de Seleção para Frameworks Livres em Plataforma Java EE
Uso de Critérios de Seleção para Frameworks Livres em Plataforma Java EE
 
x ad05-hk
x ad05-hk x ad05-hk
x ad05-hk
 
CAN A FOREST BE CREATED WITH RECYCLING
CAN A FOREST BE CREATED WITH RECYCLINGCAN A FOREST BE CREATED WITH RECYCLING
CAN A FOREST BE CREATED WITH RECYCLING
 
Tugas Aksi Sosial - Fisip Unmer Malang
Tugas Aksi Sosial - Fisip Unmer MalangTugas Aksi Sosial - Fisip Unmer Malang
Tugas Aksi Sosial - Fisip Unmer Malang
 
Een goed ingerichte web-GIS-architectuur levert winst op! Oranjewoud, Esri Ne...
Een goed ingerichte web-GIS-architectuur levert winst op! Oranjewoud, Esri Ne...Een goed ingerichte web-GIS-architectuur levert winst op! Oranjewoud, Esri Ne...
Een goed ingerichte web-GIS-architectuur levert winst op! Oranjewoud, Esri Ne...
 
Clearing the-hurdles
Clearing the-hurdlesClearing the-hurdles
Clearing the-hurdles
 
Contact Centre Technology Project
Contact Centre Technology ProjectContact Centre Technology Project
Contact Centre Technology Project
 

Semelhante a Cookies and session

Firefox instructions for PC
Firefox instructions for PCFirefox instructions for PC
Firefox instructions for PCoiisdp2010
 
Safari instructions
Safari instructionsSafari instructions
Safari instructionsoiisdp2010
 
Building Real Time Web Applications with SignalR (NoVA Code Camp 2015)
Building Real Time Web Applications with SignalR (NoVA Code Camp 2015)Building Real Time Web Applications with SignalR (NoVA Code Camp 2015)
Building Real Time Web Applications with SignalR (NoVA Code Camp 2015)Kevin Griffin
 
Enterprise java unit-2_chapter-2
Enterprise java unit-2_chapter-2Enterprise java unit-2_chapter-2
Enterprise java unit-2_chapter-2sandeep54552
 
Firefox instructions for Macintosh
Firefox instructions for MacintoshFirefox instructions for Macintosh
Firefox instructions for Macintoshoiisdp2010
 
Internet Explorer instructions
Internet Explorer instructionsInternet Explorer instructions
Internet Explorer instructionsoiisdp2010
 
Cookies in servlet
Cookies in servletCookies in servlet
Cookies in servletchauhankapil
 
474 Password Not Found
474 Password Not Found474 Password Not Found
474 Password Not FoundCodemotion
 
Geek Sync I CSI for SQL: Learn to be a SQL Sleuth
Geek Sync I CSI for SQL: Learn to be a SQL SleuthGeek Sync I CSI for SQL: Learn to be a SQL Sleuth
Geek Sync I CSI for SQL: Learn to be a SQL SleuthIDERA Software
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessionsUdaAs PaNchi
 
Session and Cookies.pdf
Session and Cookies.pdfSession and Cookies.pdf
Session and Cookies.pdfHamnaGhani1
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windowsarpit06055
 
Using cookies and sessions
Using cookies and sessionsUsing cookies and sessions
Using cookies and sessionsNuha Noor
 
07 cookies
07 cookies07 cookies
07 cookiessnopteck
 

Semelhante a Cookies and session (20)

Sessions&cookies
Sessions&cookiesSessions&cookies
Sessions&cookies
 
Firefox instructions for PC
Firefox instructions for PCFirefox instructions for PC
Firefox instructions for PC
 
Safari instructions
Safari instructionsSafari instructions
Safari instructions
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force Attack
 
XMPP Academy #3
XMPP Academy #3XMPP Academy #3
XMPP Academy #3
 
Building Real Time Web Applications with SignalR (NoVA Code Camp 2015)
Building Real Time Web Applications with SignalR (NoVA Code Camp 2015)Building Real Time Web Applications with SignalR (NoVA Code Camp 2015)
Building Real Time Web Applications with SignalR (NoVA Code Camp 2015)
 
Enterprise java unit-2_chapter-2
Enterprise java unit-2_chapter-2Enterprise java unit-2_chapter-2
Enterprise java unit-2_chapter-2
 
Firefox instructions for Macintosh
Firefox instructions for MacintoshFirefox instructions for Macintosh
Firefox instructions for Macintosh
 
Cookies & Session
Cookies & SessionCookies & Session
Cookies & Session
 
Internet Explorer instructions
Internet Explorer instructionsInternet Explorer instructions
Internet Explorer instructions
 
Cookies in servlet
Cookies in servletCookies in servlet
Cookies in servlet
 
474 Password Not Found
474 Password Not Found474 Password Not Found
474 Password Not Found
 
Geek Sync I CSI for SQL: Learn to be a SQL Sleuth
Geek Sync I CSI for SQL: Learn to be a SQL SleuthGeek Sync I CSI for SQL: Learn to be a SQL Sleuth
Geek Sync I CSI for SQL: Learn to be a SQL Sleuth
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
Session and Cookies.pdf
Session and Cookies.pdfSession and Cookies.pdf
Session and Cookies.pdf
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windows
 
Using cookies and sessions
Using cookies and sessionsUsing cookies and sessions
Using cookies and sessions
 
Scaling Cloud Apps
Scaling Cloud AppsScaling Cloud Apps
Scaling Cloud Apps
 
07 cookies
07 cookies07 cookies
07 cookies
 

Mais de Soham Sengupta

Spring method-level-secuirty
Spring method-level-secuirtySpring method-level-secuirty
Spring method-level-secuirtySoham Sengupta
 
JavaScript event handling assignment
JavaScript event handling assignment JavaScript event handling assignment
JavaScript event handling assignment Soham Sengupta
 
Networking assignment 2
Networking assignment 2Networking assignment 2
Networking assignment 2Soham Sengupta
 
Networking assignment 1
Networking assignment 1Networking assignment 1
Networking assignment 1Soham Sengupta
 
Sohams cryptography basics
Sohams cryptography basicsSohams cryptography basics
Sohams cryptography basicsSoham Sengupta
 
JSR-82 Bluetooth tutorial
JSR-82 Bluetooth tutorialJSR-82 Bluetooth tutorial
JSR-82 Bluetooth tutorialSoham Sengupta
 
Html tables and_javascript
Html tables and_javascriptHtml tables and_javascript
Html tables and_javascriptSoham Sengupta
 

Mais de Soham Sengupta (20)

Spring method-level-secuirty
Spring method-level-secuirtySpring method-level-secuirty
Spring method-level-secuirty
 
Spring security mvc-1
Spring security mvc-1Spring security mvc-1
Spring security mvc-1
 
JavaScript event handling assignment
JavaScript event handling assignment JavaScript event handling assignment
JavaScript event handling assignment
 
Networking assignment 2
Networking assignment 2Networking assignment 2
Networking assignment 2
 
Networking assignment 1
Networking assignment 1Networking assignment 1
Networking assignment 1
 
Sohams cryptography basics
Sohams cryptography basicsSohams cryptography basics
Sohams cryptography basics
 
Network programming1
Network programming1Network programming1
Network programming1
 
JSR-82 Bluetooth tutorial
JSR-82 Bluetooth tutorialJSR-82 Bluetooth tutorial
JSR-82 Bluetooth tutorial
 
Xmpp and java
Xmpp and javaXmpp and java
Xmpp and java
 
Core java day2
Core java day2Core java day2
Core java day2
 
Core java day1
Core java day1Core java day1
Core java day1
 
Core java day4
Core java day4Core java day4
Core java day4
 
Core java day5
Core java day5Core java day5
Core java day5
 
Exceptions
ExceptionsExceptions
Exceptions
 
Java.lang.object
Java.lang.objectJava.lang.object
Java.lang.object
 
Jsp1
Jsp1Jsp1
Jsp1
 
Soham web security
Soham web securitySoham web security
Soham web security
 
Html tables and_javascript
Html tables and_javascriptHtml tables and_javascript
Html tables and_javascript
 
Html javascript
Html javascriptHtml javascript
Html javascript
 
Java script
Java scriptJava script
Java script
 

Último

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Último (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Cookies and session

  • 1. Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 1 13, 2014 http://www.flickr.com/photos/torkildr/3462607995/ Cookies and sessions
  • 2. HTTP is “stateless” • By default, web servers are “forgetful” • As far as they can tell, every request comes from a totally new and different browser • (Not exactly true. We'll discuss persistent connections in the context of performance.) Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 2 13, 2014
  • 3. Pros of stateless servers • Chief benefit: Potential for replication • Improved performance: A sysadmin can fire up N copies of a website (on N machines) and any machine can serve each request. • Improved reliability: If a machine crashes, then another can be started up in its place, and no data gets lost in the process. Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 3 13, 2014
  • 4. Cons of stateless servers • Chief problem: Keeping track of which requests "go together" • Security challenge: If a user submits username & password in http request X, then tries to access resources in http request Y, how does the server know that request Y is from somebody who already logged in? • By the time that request Y comes in, the server will already have forgotten that request X ever occurred. • And on a replicated system, request Y might be served by a different machine than request X. Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 4 13, 2014
  • 5. Cookies to the rescue! • Reminder: • Cookie = a piece of data that is automatically copied between the client and server • Cookies can be set by the client (as in the last unit) or by the server. Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 5 13, 2014
  • 6. A simple way to use cookies for login… • When user sends a valid username & password in request X, the server replies with a cookie containing the username & password • When user subsequently makes request Y, the browser sends along the cookie. • Sounds appealing: user only needs to log in once • Serious security hole: anybody who gets his hands on the user's computer can see cookies Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 6 13, 2014
  • 7. Using just cookies for login Monday, October Authenticate sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 7 13, 2014 Browser Server Type username & password Send username & password Cookie = usernm&pwd Click a link or whatever Request page (send cookie) Send back page Warning This design contains a serious security hole.
  • 8. A more secure way of cookies+login • When user sends a valid username & password in request X, the server replies with a cookie containing a secret that the client couldn't possibly have guessed. • When user subsequently makes request Y, the browser sends along the cookie. • Since the client couldn't have guessed this value without logging in, the server knows that the user did in fact previously log in. Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 8 13, 2014
  • 9. Using cookies for login Monday, October Authenticate sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 9 13, 2014 Browser Server Filesystem or Database Type username & password Send username & password Store a random number Cookie = the valid only for next 10 minutes random # Click a link or whatever Request page (send cookie) Check if the number is right; if so, give another 10 minutes Send back page
  • 10. Session = state stored across requests • This is what we call a "session" • Session is basically an add-on to the basic http functionality of a website • So that the website can remember information across requests. • You can store lots of stuff in session • Numbers, strings, stringified objects, … Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 10 13, 2014
  • 11. Pros of sessions • Stores information between requests • Much more secure than the simple cookie-based approach I showed you • A bad person would need to steal the random number (cookie) within 10 minutes of its creation Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 11 13, 2014
  • 12. Cons of sessions • Requires your web server to have write-access to some sort of storage medium • File system, database, …, if you want replication • Otherwise just use memory (lost on server crash) • Requires user to access site every few minutes • Though you can configure longer or shorter times • This is a tradeoff between usability & security. • EECS servers currently are set to 24 minutes. Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 12 13, 2014
  • 13. Simple example of using session <?php session_start(); if (isset($_SESSION['numhits'])) $_SESSION['numhits'] = $_SESSION['numhits']+ 1; else $_SESSION['numhits'] = 1; echo "You hit my server ".$_SESSION['numhits']." times."; ?> Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 13 13, 2014
  • 14. Authentication (Using hardcoded username&pwd for now) <?php session_start(); /* login.php */ if (array_key_exists("username", $_REQUEST) && array_key_exists("password", $_REQUEST)) { /* here is where we would check the username and password */ $_SESSION['uid'] = 1; echo '<a href="inventory.php">View Inventory</a>'; } else { ?> <form action="login.php" method="POST"> <div>Username: <input type="text" name="username"></div> <div>Password: <input type="password" name="password"></div> <div><input type="submit" value="OK"></div> </form> <?php } ?> <?php session_start(); /* inventory.php */ if (isset($_SESSION['uid'])) echo "This is where we would show inventory."; else Monday, October echo "You need to <a href='login.php'>Log in</a>"; ?> sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 14 13, 2014
  • 15. You can set cookies without session <?php $nhits = isset($_COOKIE['numhits']) ? $_COOKIE['numhits'] : 0; $nhits = $nhits + 1; setcookie('numhits', $nhits, time()+86400*365); /* expires in 365 days */ echo "You hit my server ".$nhits." times."; ?> Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 15 13, 2014
  • 16. Summarizing cookies vs sessions • Cookies • Little bits of data that are stored on client but also copied automatically to the server • Useful for storing little bits of data on the client, but they are visible to everybody • So don't store sensitive data in cookies • Sessions • Data is stored on the server (e.g., filesystem), keyed by a random number • The random number is sent as a cookie to the browser • And the random number expires after a little while Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 16 13, 2014
  • 17. When to use cookies vs sessions • Use cookies when • You need to save a small amount of data between requests, and it doesn't need to be kept secret • Use sessions when • You need to save a larger amount of data between requests, or when the data needs to be secret Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 17 13, 2014
  • 18. Examples of information not to store in unencrypted cookies • Passwords • Credit card numbers • Social security numbers • Student ID numbers • Birthdates • List of diseases the user has contracted • Anything that must be kept secret Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 18 13, 2014
  • 19. Yet another caveat • After all of those warnings, you still can save secret data in cookies, IF IT IS ENCRYPTED • You will see how to do this later in the term • But we don't really use encrypted cookies much because it can cause usability problems. Monday, October sohamsengupta@yahoo.com, soham.sengupta.java@gmail.com 19 13, 2014