skip to content »

Invalidating a stale session

invalidating a stale session-88

The cookie also contains information about the site of origin.Next, when the browser sends a request to the site, it looks in the cookies folder for a cookie that originated from that domain.

invalidating a stale session-29

The point is, cookies are not part of the standard HTTP specification, so they imply a collaboration between browsers and Web sites to work.On the one hand, session state management and user authentication are much easier to code with cookies.On the other hand, if you take a look at your site's statistics regarding browsers used to access pages, you might be surprised to discover that a significant share of users connect with cookies disabled. Summarizing, cookies are not a problem per se but their use undoubtedly gives some server code the ability to store a piece of data on client machines.So cookies store the ID of the session and browsers transparently move their contents back and forth between the Web server and the local user's machine.When a cookie-enabled browser receives a response packet, it looks for attached cookies and stores their content to a text file in a particular folder in the local Windows directory.The figure below shows a snapshot from a real-world site that uses cookieless sessions. Map Point using cookieless sessions Imagine you request a page like Next, you clear the address bar of the same browser instance, go to another application and work.

As you can see from the Map Point screenshot, the slash immediately preceding the resource name is expanded to include parentheses with the session ID stuffed inside, as below. Then, you retype the URL of the previous application and, guess what, retrieve your session values as you get in.

This prefigures some potential security risks and an overall situation less then ideal.

(In some cases and countries, it's even illegal for an application to require cookies to work.) In ASP.

The HTTP protocol is stateless in nature, and nobody has done anything to change this fact.

Almost two decades ago, while developing their first browser, Netscape Corporation "invented" a persistence mechanism to work over HTTP. It is interesting to note that the term "cookie" in computer science jargon just indicates an opaque piece of data held by an application that affects users but is never directly managed by users.

Not all browsers support cookies and, more importantly, not all users may have cookie support enabled in their own copy of the browser.