s5BUBR6A

1notes 
2
3session managemnt : 
4
5example add to cart kara hai toh hamesha connection stateful rakata 
6
7a web sesiion is a sequence of  netwrok http request and response stranscatrion associated to some user 
8
9a session is a semi permanent interactable  interchange  it can be set up at soome point of time and dropped or torned down at some point time (session store hota hai server pe )
10
11session is typically not always stateful that means that atleast one of the two parties need to save information about system history inorder to communicate..
12
13a website may start a session when a user visits the site for the first time from that point of onwards everything/anythinf the user does is done within the context of established session 
14
15at some point the user may decide to authenticate extra functionality once finished he will logout finally choosing to terminate the session altogether ..
16
17where is the session id stored and how is it saved ???
18
19
20cookie jar , local storge or memory , 
21
22the http protocol is stateless so to handle sessions we need to smuggle some state into the protocol. usually it is added as a header or cokkie and the session may have some data associated with it which needs to be stored by one of the parties.... 
23
24there are two types of session id tokens : 
25
261, obaque (khali hogi): 
272. self-describing  :
28
29
30
31the token given to the user maybe obque or self describing and obaque token in itself holds no information it is only used as a key to fetch essential data server side 
32
33_________________________
34type:obaque
35Sample 
36
37DATA:
38
39______________________________
40type :self-describing 		  |
41sample : 					  |		
42							  |
43data : exp:120 |user id 3     |
44_______________________________
45
46on the other hand the self describiong session id is just what its name suggest it holds the data within the 
47
48Obaque is a random token with enough entropy to avoid bruteforce attack while self describing is base64 encoded and signed to protect its integrity building on the idea of self describing token we can contruct a so called stateless session 
49
50
51HTTP cokkie 
52
53an http cookie is a small piece of data that the user sends to the  browser may store it and send it back to the same server in the next request typically it is used to tell weather the same request came from the same browser..
54
55
56Preferences : it remembers stateful information for the stateless http protocol cookies are used for three purposes: 
57
581.session management, personalisation and tracking 
59
60session management : login, shopping carts, games score, or anything else the server should remember 
61
62
632.personalisation : user preference themes, 
64
653.Tracking : recording and analyzing behaviour cambridge analytica 
66
67
68creating cookies : when 
69
70
71
72document.cookie = "username "
73
74
75
76when recieving an http rwquest the server can send a Set-Cookie header with response the cookie is usally stored by the browser and then the cokkies is sent with the request inside the cookie http header and expiration date or duration can be specified after which the cookie is no longer sent....
77
78additionally restricting to a specific domain can be set and path to where the cookie is sent
79
80Set-Cookie http response header sends cookies from the server to the user agent 
81
82set-cookie: tasty_cookie=strawbeery 
83
84Cookie-Prefix: 
85
86
87HTTP/2.0 200 OK 
88Content-Type: text/html 
89Set-Cookie: yum=heelo;
90Set-COokie: hello=yum;
91
92
93
94Session-Cookie: :
95
96
97GET /sample_page,html HTTP/2.0
98host: www.example.org
99Cookie: yummy_cookie=choco; tast_cookie=starwbeery; 
100
101
102the cookie created above is a session cookie. it is deleted when the client shut downs because it didnt spcify an expires or max-age drirectives However web browsewr may use seesion  restoring, which makes most session cookies permanent as if the browser was never closed 
103
104
105Permanent-cookies: Instead of expiring when the client closes permananent cookies expire at a specific date or after specific lenght of time 
106
107Set-Cookie: id=a3wal Expires=WED, 21 OCt 2015 
108
109
110secure& http only cookie:  secure http only 
111
112
113secure cookie is only sent to the server within an encrytped request over an https protocol even with secure directive senstitive information should never be stored in cookies as they are inherantily unsecure and cant provide any real protection 
114
115
116to help mitigate xss attack http only cookies are inaccessible to help  xss javascript document cookie api 
117
118
119they are send to the server 
120
121for ex cookies that persisit server side sessions dont need to be avaialbe to the javascript and the http only flag should be set 
122
123
124Scope of cookies: 
125
126the domain of the path directories define the scope of cookie: what url the cookies should be sent to 
127
128Domains specifies allowed host to recieve the cookies if unspecified it defaults to the host of the current document location 
129
130excluding subdomains if the domain is specified then sub domains are always included 
131
132Attack : allow ACO // on this 
133
134example : if Domain=mozilla.org is set than cookies are sent to mozzila .org and sub domains
135
136
137PATH: indicates a url path that must exist in the requested url in order to send cookie header 
138
139for ex. %x2f (/)  character is considered a directory and sub directory will match as well
140
141
142/doscs
143/doscsa/web
144/doscs/web/http
145
146same-site cookies : lets server requires that cookie shoudnt be sent with cross-site request which provides some protection against csrf attack 
147
148same-site attribute can have 3 values : none , lacks, strict
149
150
151none : the browser will sewnd with both cross site and same site request 
152strict: the browser will only send cookies for same site request (requests originating from the side set the cookie) if the request originated from different url than the url of the current location none of the cookies with the strict attribute will not be included 
153
154lacks : same site cookies are withheld on cross site sub request 
155
156example : calls to load images or frames but will be sent when a user naviagtes to url from the external site following a link 
157
158
159browser are migrating to cookies to samesite : lacks 
160
161
162
163if the cookie is needed to be sent cross origin opt out of the same site restriction using the none directive and none is used along with secure attribute 
164
165
166//cookie-prefixes: the design of the cookie mechanism is such that a server is unable is to confirm a cookie was set on a secure  origin or not tell weather a cookie was origanly set 
167
168
169
170Two headers 
171
172HOST
173
174SECURE 
175
176
177if a cookie have name this prefix Host_ - it will be only be accepted in a set cookie directives if its marked secure 
178
179_secure - if a cookie has directivies if its marked secure it orignated from a secure origin... , does not include a domain attribute and has path attribute to /. in this way these cookies can be seen as domain locked 
180
181
182
183
184(session vs cookie )
185
186session: can store any type of data becoz the value of data type of object (object data type)
187
188sessions are stored on server it is secure as they are stored in binary / encrypted form and gets decrypted at the server session is independent for every client it is indiviual for evert client. there is no limitation on the size or the number of the session to be used in an application we can not disable the sessions, sessions can be used without cookies. the disadvantage of session is that it is an burden or overhead on the server 
189
190sessions are called as non persistent cookies becoz its life time can be set manually 
191
192Cookies : can only store string data types, they are stored at client side cookies is non secure since stored in text format at client side cookie may or maynot be indiviual client ..
193
194size of cookie is limited to 40 and no of cookies is restricted to 20 
195
196cookies can be disabled since the value is string format there is no security we have persisitent and non persistent cookies 
197
198authentication equals to confirming your own identity 
199
200authorization being allowed access to the system 
201
202
203types 
204
2051.http basic authentication
2062.form based authentication 
2073 http digest access authentication 
2084. bearer authentication
2095. http origin bound authentication