-1

I want to know what is the difference between browser cookies and pseudo random number generated by the server. I will elaborate it- According to me, browser cookies are some random number which is used to authenticate the user to server during the session (This is one type of cookie). There are another types of cookies also like permanent cookies. And pseudo random number which we can see in page source code like

<input type="hidden" name="_token" value="915cdd.............">

Here value contains that pseudo random number. I think it also serve the same purpose. I am a little bit confused.

Is they serve the same purpose or they are completely different?

Naman
  • 991
  • 2
  • 10
  • 20
  • 1
    Cookies are not random numbers, they are files containing information that may be relevant to a certain website. – nico Aug 07 '13 at 07:08
  • Ok. so what kind of file it is? – Naman Aug 07 '13 at 07:09
  • A cookie is just a way for the server to store **any kind of information** on the client so the client returns it back to the server with every request. It has nothing to do with random numbers per se. – deceze Aug 07 '13 at 07:17
  • Naman, this may be a good start: http://en.wikipedia.org/wiki/HTTP_cookie – nico Aug 07 '13 at 07:20
  • But when I see cookies content in my browser it is show some random content like `D854A8tEOktAdfTl` – Naman Aug 07 '13 at 07:28
  • That's because the server chose to put that random content into the cookie. – deceze Aug 07 '13 at 07:30
  • @Naman Not random, at least you can't assume that without access to the server side. As for what it means: we wouldn't know because of the same reason. – freakish Aug 07 '13 at 07:30
  • what could be the reason? – Naman Aug 07 '13 at 07:33

1 Answers1

1

These are completely different concepts. Cookie is a piece of data (any data) sent from a server and stored in a browser. It can be used for example to store authentication data in a browser (for example a session id).

Pseudo random number is... well, it's a pseudo random number. It can be stored in a cookie as a piece of data mentioned above.

By the way: what you've shown us is not necesarly a psuedo random number. You don't have to understand how it was generated but unless you know the server code you cannot assume that it is random. It can be for example a completely deterministic number which was additionally hashed. The purpose of that data is quite hard to determine without access to the server side, but from my experience this kind of tokens are only used for security.

freakish
  • 54,167
  • 9
  • 132
  • 169
  • Ok. I think pseudo random number is introduced to prevent CSRF (cross site request forgery) attacks. – Naman Aug 07 '13 at 07:31
  • @Naman Right, it tries to fight CSRF. This SO thread should explain it (django is just a Python framework, don't worry if you don't know it): http://stackoverflow.com/questions/5207160/what-is-a-csrf-token-what-is-its-importance-and-how-does-it-work – freakish Aug 07 '13 at 07:38