When you log into bank account using browser, have you ever wondered how does your bank website remembers you between web requests. The websites asks you to login only once, after successful login, the website remembers you and doesn’t ask you to login again with next request. How does this happen? What mechanism does web sites uses to remember user sessions.
The answer is using Http Cookies in client browser, websites maintain session with logged in user. In this post let’s try to understand how does cookies helps to maintain sessions with web sites.
What are HTTP cookies?
Cookies are at high level are a name value pair stored in the browser. Cookies are created specific to a domain.
When you first request a website URL, in the response usually website does send the cookies in the response. Then with the subsequent requests with the website, the browser will send the cookies created on the domain.
Let’s consider an example. Today I browsed msdn.com website for the first time in chrome browser. And refreshed it again and captured http requests and responses.
- As you can see in the Request Headers, the browser is sending the cookies created with web request.
- And in the response website is setting the cookies back again to browser. You can see Set-Cookie commands in the Response Header.
For steps to view cookies being exchanged in http request & reponse refer another blogpost
How Http cookies helps to maintain session with web site?
- When you login to a site, the web site creates a cookies and send the cookies back in the response.
- The browser would store those cookies based on the login website domain.
- Then with any other requests with to the website, the browser would send the cookies to website. The website would validate the incoming cookies in the requests to determine who is this user and there by identities a user’s session
What are different properties on cookies?
Http cookies have below important properties:
- Cookie name Identities the cookie.
- Cookie value Identities the cookie.
Cookie expiry time
The date time property tells the browser that how long the cookie is valid. Once Expiry time reached, cookies will be dropped by browser; so post expiry time, the cookie will not be sent to web server.
Depending on whether Cookie expiry set or not, they are categorized into two. Persistent Cookies and Non Persistent Cookies. For more info on this refer Persistent Cookies v/s Non Persistent Cookies
- Cookie domain Domain tells the browser on which domain the cookie is being created, so that browser knows which are cookies it need to send when it makes a web request to a domain web site. It means say that cookies created on google.com domain will not be send to facebook.com domain web requests.
- HttpOny If HttpOnly set for the cookie, such cookie cannot be accessed through client side(in browser)script.
What is cookies size limit?
Yes cookies have size limit enforced by browsers. 4KB is the cookies size limit for a domain.
Can cookies be blocked?
Yes cookies can be blocked to a domain site in the browser. If cookies are blocked on a domain, then no cookies for that domain will be persisted in the browser. This can lead to issues at times. You can read more about cookie blocking issues on my another blog post.