5

As I know, session cookies are stored in the browser's process (in memory, not in hard disk). When user close the browser, this cookies are released, we can't get this cookies again. So this kind of cookies are used to save session id.

Persistent cookies are saved on hard disk. They are alive until they are expired. Usually, we create this cookies by setting an expiration.

So my doubt is that:

  1. If we set a cookie without an expiration time, this cookie will be treated as session cookie? It will be saved in the browser's process?

  2. A cookie with expiration time must be treated as persistent cookie? Can we set a cookie with a expiration time stored in browser's process?

  3. Can we make the session cookies not to appear in the browser's process? Let it stay on the disk? If it can, how to code, php/asp.net/java ??

Gennadiy Litvinyuk
  • 1,536
  • 12
  • 21
roast_soul
  • 3,554
  • 7
  • 36
  • 73
  • sessions are saved on the user's machine as well. Only they expire when the browsing session expires. This is why sessions shouldn't hold sensitive data, because they can be hijacked. And don't even bother learning how to create infinite sessions. They can persist past the browsing session in some cases but it's bad practice and not worth learning –  Mar 18 '13 at 02:24
  • sessions are saved on the user's machine??sessions are on the server. – roast_soul Mar 18 '13 at 02:27
  • @user1928545 session cookies are saved on the users machine but the real data is saved on the server in a text file with the name of the session cookie that the user has. eg user session id = vv1gdmflejj4lco1m6hfju7ub0 server has text file = sess_vv1gdmflejj4lco1m6hfju7ub0 – Class Mar 18 '13 at 02:29
  • you're right @Class, but the session id is saved on the computer. The questions said he thought session cookies are stored in memory not on the hard disk, but they aren't. The information is, but the key is still on the hard-disk. It can be hijacked. –  Mar 18 '13 at 02:30
  • It can, but its easy to add HTTPonly to the session cookie. – Class Mar 18 '13 at 02:33
  • @user1928545:the session cookie (also known as an in-memory cookie or transient cookie) is a type of cookie. – roast_soul Mar 18 '13 at 02:34
  • @roast_soul The information is saved on the server but they key is saved on the hard-drive. I'm going to get a lot of heat for this but technically they aren't any more secure than cookies. Unless an SSL is used on the site. Persistant sessions using a session cookie that last when a browser closes can be achieved by editing your php.ini settings if you're using php or using a cookie and a session. –  Mar 18 '13 at 02:37

1 Answers1

1

as far as I concerned, what we send back from server to client is stored in user's hard disk, it's persistent cookie as you called. the session cookie stores some information on a conversation you make with websites, after you clear cache or restart your browser, the conversation information changed. When you visit a website, you don't send a session_id to the server because you don't have one yet. The server then generates a session_id and stores conversation information, session_id as key-value pair in server side, and return the session_id to client side, which stores in persistent cookies. This is the process in my eyes.

Judking
  • 6,111
  • 11
  • 55
  • 84
  • quote:session_id as key-value pair in server side, and return the session_id to client side, which stores in persistent cookies. I don't think that, the session_id stores in session cookies, which is in the browser's process. – roast_soul Mar 18 '13 at 02:37
  • @roast_soul when I use servlet, I found it worked that way. the session id is generated in server side when the request sent from client side doesn't have session id in cookies. – Judking Mar 18 '13 at 02:41
  • @roast_soul Or things like that: The so-called `session id` is generated in browser and stores in session cookie in client side, but the servlet got its own session machanism, so it creates its own `servlet_session_id`(something like that),which is stored both in client's persistent cookie and server side, to store information as well as trail browsers. – Judking Mar 18 '13 at 02:45
  • do you use the chrome developer tool or firebugs? – roast_soul Mar 18 '13 at 02:46
  • @roast_soul yes, when I send the very first request to server, there is no `jsessionid` in its cookie. but when the response sending back, there is a `jsessionid` in its cookie. – Judking Mar 18 '13 at 02:48