Tuesday, April 19, 2011

How cookie works

A lot of developers know how to get / set cookie to persist their application, however, not necessarily all of them know how cookie actually works.  Here is a short tutorial on how cookie works.

When your browser send a request to a website "A", your client (browser, for example) will contact server "A" for contents.  Your browser will look on your machine whether a cookie that has been set by "A".  If it finds the "A"'s cookie, your browser will send all those related name-value pairs in the file to "A" as HTTP headers. If it didn't find the file, it won't send any cookie data ( well, that's obvious ).  After that, the "A" website can use the cookie that the browser send, and "A" can set additional cookies for future use.  Also, the cookie is a text string that is include in the request and response, that's how "A" can interact with your browser.


The following is a more visualize version of how cookie is set and get:

1) when you request a server by url a http requst will be sent ( assume this is the first time access )
============================
GET /index.html HTTP/1.1
Host: www.abc.com
============================

2) when server response, it will have something like that
============================
HTTP/1.1 200 OK
Content-type: text/html
Set-Cookie: name=iroy2000
============================

3) now the browser request the same page again
============================
GET /index.html HTTP/1.1
Host: www.abc.com
Cookie: name=iroy2000
Accept: */*
============================

Extra Note about Cookie
What's the difference between "session" and "cookie" ?
There are two kinds of cookies: session cookies and persistent cookies. The session cookies are stored in memory on the server, whereas persistent cookies are stored in a cookie file on the client.

Some developers, when they first start, may be confused about "session" and "cookie".  In short, "cookie" is saved in the client's browser and can last for a long time (it first saved in browser memory - "temp cookie", but if you set a long time-to-live value, the cookie will be saved into a file - "permanent cookie" ) , while "session" is saved in the server and only valid for a browser session.

What is a persistent (permanent) cookie?
A persistent cookie is a cookie which is stored in a cookie file permanently on the browser’s computer. By default, cookies are created as temporary cookies which stored only in the browser’s memory. When the browser is closed, temporary cookies will be erased. You should decide when to use temporary cookies and when to use persistent cookies based on their differences:
  • Temporary cookies can not be used for tracking long-term information.
  • Persistent cookies can be used for tracking long-term information.
  • Temporary cookies are safer because no programs other than the browser can access them.
  • Persistent cookies are less secure because users can open cookie files see the cookie values.

And depends on your architecture and your use case,  one method may be more preferable than the other one. Let me list some points that you should consider:

  1. How many servers you run your website?  Remember that "session" is saved in the server (yes, a server, not multiple server), so it means if you have more than one server in your cluster, you need to maintain the "session" for a particular user.  Usually people sync the "session" using the database, and I believe apache's mod_proxy provide sticky session that maintain sessions in multiple server settings.  However, cookie is saved in browser, so it won't care how many servers at your back.
  2. How sensitive is your data?  Since "cookie" is save in your local machine, it means your user could potentially modify those data.  For example, firefox users can modify their cookie values.  If you do not want your user to modify the information, and if the data is sensitive, it is recommended that you should not use cookie to hold the data, but instead, try to hold sensitive data in database and use cookie to hold the ID for future retrieval. 
  3. How long you need your data? Well, as mentioned above, session is for a browser session, cookie is for longer term.
  4. How large is your data? Cookie since it is saved in the browser, it has a size limitation, if you are going to store big amount of data, you should consider session or database, because these both saved in a server and has more generous limitation than session. 

No comments:

Post a Comment