10

Do websites like Facebook store logged in users in cookies (client side) or sessions (server side)? My tests indicate that they do the first.

Lion
  • 18,729
  • 22
  • 80
  • 110
jon
  • 1,429
  • 1
  • 23
  • 40
  • If they would store the info which user is logged in in a cookie, everybody could log in as somebody they're not. So it's *probably* not that ;) – Pekka Dec 17 '11 at 20:36
  • Sessions are often keyed off of a random value stored in a cookie. The cookie usually won't contain any identifiable data of consequence, and if it does, it will be validated server-side by some other means. – Tim M. Dec 17 '11 at 20:38
  • cookies store unique id. Server use this unique id for authentication. – Zul Dec 17 '11 at 20:44

5 Answers5

14

Generally, sensitive information like which user is currently logged in must be stored on server side - remember, cookies can be freely read and altered by the user.

What you are probably seeing is the session cookie that ties a specific client to a specific session on the server - that is so the server knows which session to use for you. In this case, the only thing the cookie contains is a long, random session ID - it's long and random so it can't be easily guessed by an attacker.

The act of stealing another user's session cookie is called session hijacking.

Additional info:

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • Thanks Pekka... but can you explain further... i thought that a session on a server is a file... why would you need both? – jon Dec 17 '11 at 20:41
  • 1
    Cookies can be encrypted and use checksums to avoid being modified or read :P – Esailija Dec 17 '11 at 20:42
  • @jon read up on how sessions work (e.g. in the Session chapter in the PHP manual). The cookie is necessary for Facebook to know which user has which session. – Pekka Dec 17 '11 at 20:42
  • i.e. would the case not be. -user logs in.. cookie is set with a unique number which is also stored in the database. When the user navigates through the site if the cookie matches the number stored in the database, the user is logged in?.. regards J – jon Dec 17 '11 at 20:43
  • @jon yup, exactly! That's the idea of a session cookie in a nutshell. – Pekka Dec 17 '11 at 20:44
  • @ Pekka The cookie is necessary for Facebook to know which user has which session... ahhh... that makes sense... otherwise u wouldnt know which user has which session. – jon Dec 17 '11 at 20:46
  • @ Pekka, but can I ask then why would you need a php session?.. thanks. – jon Dec 17 '11 at 20:47
  • @jon yeah. There are alternative ways of tracking sessions (like passing the ID in a GET variable: `index.php?sessionid=1234567890` but I think Cookies are the vastly more popular method) – Pekka Dec 17 '11 at 20:48
  • @jon I'm not sure what you mean? You need a PHP session if you want to do what Facebook does with their session - store session-related data on server side. Is that what you mean? – Pekka Dec 17 '11 at 20:48
  • Would you not just do as i said and store a random string in their cookie, and every page request check this against the database to see if they are logged in?... would this not be better than using a session that as i understand it adds a temp file to your server. – jon Dec 17 '11 at 20:50
  • @Esailija true - although this is exceedingly rare AFAIK, and seeing as all the data would have to be transported on every request, having it on server side makes more sense in most cases I think – Pekka Dec 17 '11 at 20:50
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/5942/discussion-between-jon-and-pekka) – jon Dec 17 '11 at 20:51
  • @jon PHP's session functionality does essentially exactly what you describe - there's no need to use it, you're right. But it adds a lot of convenience (because you can read/write `$_SESSION[]` variables, you can set the session lifetime, etc.) that you would otherwise have to implement for yourself. – Pekka Dec 17 '11 at 20:51
  • Thanks Pekka for your time... I see what you mean... but by creating a session you are also adding in the case of facebookk miliions of files on the server (or servers)... however i guess without the session you are having to make more requests to the database. – jon Dec 17 '11 at 21:00
  • @jon you're welcome. Re Facebook, chances are that they are using their own database-driven (or some other) session storage method - you can implement your own session storage method: http://de2.php.net/manual/en/session.customhandler.php – Pekka Dec 17 '11 at 21:02
5

I think the idea behind $_sessions is it's much faster and efficient for the server to process its own information, rather than receive bulk information from the client.

Look at it this way:

You (the server) and a friend (the client) are gossiping about your other friend Cindy, does you friend give you every detail of information about her (hair color, height, etc...)? No, that would be a waste of time. It's much faster for you to process the information you already know about Cindy (on the $_session file, server-side) and only receive unique information ($_cookies) from your friend (the client).

Efficient: "Hey, did you hear what Cindy did last night?"

NOT efficient: "Hey did you hear what Cindy with brown hair, blue eye, medium build, etc... did last night?"

Obviously, this doesn't fully summarize $_sessions and $_cookies, but maybe it will help someone understand efficient short-term data management.

Isaac Dozier
  • 86
  • 1
  • 3
5

They use server-side sessions in conjunction with a cookie.

The cookie holds an ID, this ID is sent to FaceBook and the server checks the details for the session with that ID.

Drahcir
  • 11,772
  • 24
  • 86
  • 128
  • Thanks Richard, but why do they need the session at all?.. when we are talking about sessions are we talking about for eg: $_SESSION['user'] – jon Dec 17 '11 at 20:56
0

They probalby use sessions and then store some information into cookies, like, user_id is logged in with session_id = .../ then check in session for that session_id to see if the user is still logged in. I think it is a waste of resources. In my opinion i store critical info into sessions and big info into cookies

xttrust
  • 585
  • 1
  • 4
  • 15
0

I think Server-Side session data stores. If you want to store user data persistently, you'll need to write it into a server-side data store (e.g., a relational database, a NoSQL key-value store, etc.). The lookup key will typically be either a cookie ID or a login ID. To speed up lookups, you can put a caching layer in front of it (e.g., Memcache, Redis). The advantage is that you can store an arbitrarily large / complex set of per-user data.

Source

Premraj
  • 72,055
  • 26
  • 237
  • 180