0

Source

Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user’s device during a session.

enter image description here

As I see, one site can work with more than 1 cookie file. And I don't understand the mechanism of this. What do I mean? I realize that one HTTP response can contain several set-cookie that "tell" browser to save needed cookie on the client's device. For example:

Cookies are set using the Set-Cookie header field, sent in an HTTP response from the web server. This header field instructs the web browser to store the cookie and send it back in future requests to the server (the browser will ignore this header field if it does not support cookies or has disabled cookies).

set-cookie: _hexlet_session2=AiUPd6RFbcrnoGnZSLAYSBzdJqxsQ4sTc%2BW0xXuOKzlenyv5GwkkbpdkD6IVDybDlD8vQcOcgGax98%2FmzIBJrz9f%2BDIJxWRpknZsRSfBXuC9yRfndovBUG6w4fTql4qp7zPozd2veFDLOU4koPVYiUQxgBLM6NkyYg%2Bhs%2BQe%2FSZezleVgMBVD%2FFC070DjV7t2eN01o26kcbd0pQsf9k1LE4JN0aDzSxu8elxLyAWkIJ5l3m%2BcI%2BpgOxk87Uwh9WdTHVuDaraiRaVJz1aZq5hr%2FgzaZiK%2Bgi6ChX60nhha1an610b1v3EE7xgkEM332uFPU0w675fHEr4APTdPDVtJRa3--qQi0cqcljC8i4klD--fXTErw9bhX7%2Fd1xfPE4Gww%3D%3D; domain=.hexlet.io; path=/; expires=Sun, 16 Aug 2020 03:38:11 GMT; secure; HttpOnly; SameSite=Lax 
set-cookie: GCLB=CLTE8bzdlaS6Zg; path=/; HttpOnly; expires=Thu, 16-Jul-2020 03:39:50 GMT

But I still can't get how this transmission mechanism works. I've read before that every cookie has its own session id. As I understand (maybe I'm wrong), <cookie-name>=<cookie-value> is responsible for indication session id. It doesn't matter what kind of cookie is send, every cookie has its own <cookie-name>=<cookie-value>. For example, from MDN:

Set-Cookie: <cookie-name>=<cookie-value>
Set-Cookie: <cookie-name>=<cookie-value>; Expires=<date>
Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<non-zero-digit>
Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>
Set-Cookie: <cookie-name>=<cookie-value>; Path=<path-value>
Set-Cookie: <cookie-name>=<cookie-value>; Secure
Set-Cookie: <cookie-name>=<cookie-value>; HttpOnly

And... when cookie file is send to the server, its session id is searched on the server. When it's finally found, client can get all needed data. That's quite understandable.

But there's something I don't understand. Like I said before, every cookie file has its own session id. When HTTP request is send to the server with several cookies, are all session IDs searched on the server? How does it happen?

And... The main question: how can one request have many session IDs? I mean, for this reason we can't login with 2 different accounts in 1 browser. One client (it's browser in most cases) can have just one session id on some server.

Could someone explain me in a nutshell how server works with multiple cookies?

Ivan
  • 478
  • 2
  • 13
  • You're confusing *cookies* and *sessions*, which are two different things. Does this answer your question? [Differences between cookies and sessions?](https://stackoverflow.com/questions/359434/differences-between-cookies-and-sessions) – Kevin Christopher Henry Nov 25 '21 at 14:00
  • @Kevin Christopher Henry I know what the difference between cookie and session. I just don't get how server works with multiple cookies... – Ivan Nov 25 '21 at 21:40
  • 1
    But you're saying things like "every cookie file has its own session id" which is not at all true. Cookies can be used for all sorts of things other than sessions, so when you see that a site has 10 cookies, probably 0 or 1 of them represents a "session id", and the rest are being used for something else. – Kevin Christopher Henry Nov 26 '21 at 00:00
  • @Kevin Christopher Henry I see, so it looks like cookie's attribute `=` can be responsible not just for storing session id, also it can be used for storing cookie's name. Am I right? – Ivan Nov 26 '21 at 06:45
  • 1
    Cookie values are arbitrary chunks of data, so they can represent anything. The name just gives you a way to refer to them. For example, the value could be some JSON data structure (character encoded to be valid in header). – Kevin Christopher Henry Nov 26 '21 at 14:02

1 Answers1

0

A website may need to store multiple pieces of information about a user, not only the session. Maybe there is a preference that you don't want to save to the backend and need to be different for each session.

e.g. A user could have to select a language when he login in or a font size in settings.

Set-Cookie: language=en 
Set-Cookie: font_size=16px  
Set-Cookie: sessionid=4324324324233

That way the server will know what response to give at future requests(maybe the server is rendering a part of the site and needs to know the font_size and language before the response).

I have never seen multi-sessions on one server, and I don't see any reason.

Thomas Karachristos
  • 3,237
  • 18
  • 22