safety – How does the session work in web browsers?


A session allows, for example, that I allow the user to remain logged in, keeping the information of who is logged in (usuario_id, for example).

I believe it's something more elaborate than cookies , because otherwise I could change my browser's "usuario_id" cookie to any number, and then I could log in as another user.

  • How does the session work?
  • What makes it different from cookies ?
  • What makes it safe?


what is the session

In web projects, a session is the use of an application by a user, generally comprising a sequence of requests.

On the other hand, the term session can also refer to the content, location or storage variable of the stored state . For example, in Java there is the session map , in PHP the superglobal variable $_SESSION and so on.

how the session works

To identify that the sequence of actions comes from the same user, some technique is used to identify it, the most common being:

  1. Cookies : a session identifier is placed in a Cookie , which will persist at least until the user logs out or closes the browser. Remembering that Cookie data are sent from the browser to the server at each request.
  2. URL Rewrite : A session identifier is generated on the first access to the system and all system links add this identifier as URL parameter. This way, in each request it can identify the user.

It can be seen then that the general procedure is to generate a unique id per user and then make every request inform this id in some way, through which the language, framework or server can store and retrieve the user's session state .

what makes it safe

Nothing . There are several easy-to-perform attacks on systems that rely only on the session to authenticate and authorize users. The most common is session hijacking . Just somehow get the Cookie or URL that contains the session identifier and put it in any other browser.

Security, however, can be implemented reasonably efficiently with asymmetric encryption (HTTPS/SSL). Certificates signed by certificate authorities (CA's) can also be used to ensure that the conversation is actually being with the person you expect and not a "stranger". Furthermore, the content of Cookies could not be intercepted by an intermediary between client and server, as only real agents could decrypt the data with the private key.

The Cookie pattern specifies a secure parameter that forces a Cookie to only be sent if the connection is secure (HTTPS). This can give some assurance that it won't "escape" by mistake in some common HTTP request to the server.

Anyway, I'm not a security expert. There are certainly many details pertinent to this subject, but I hope this is a good introduction.

Scroll to Top