Server-Side Scripting/Cookies and Sessions

This lesson introduces cookie and session processing.

Objectives and Skills[edit | edit source]

Objectives and skills for this lesson include:

• Understand cookie concepts
• Understand session concepts
• Understand password hashing concepts
• Use cookies and sessions with server-side scripts

Readings[edit | edit source]

1. Wikipedia: HTTP cookie
2. Wikipedia: Password hash

Multimedia[edit | edit source]

• YouTube: Understanding Authentication in Node.js - Sessions and Cookies - Web Development Concepts Explained
• YouTube: Session Authentication in Express

Examples[edit | edit source]

Activities[edit | edit source]

Complete the following activities using HTML, CSS, and a server-side scripting language. Apply best practices for user interface design and your selected scripting language, including modules, comments, indentations, naming conventions, and constants. Use HTML forms and input elements for input, server-side scripts for processing, and HTML elements for output. Use separate functions for each type of processing. Avoid global variables by passing parameters and returning results. Add comments at the top of the code modules and include references to any resources used. Add the completed code to your website as /lesson12.

1. Add a login screen to one of your database applications. Use bcrypt encryption for passwords and save encrypted passwords in the database. Use cookies to remember users and sessions to track authenticated users. Provide a way for new users to register their username and password.
2. Provide a mechanism for users to request a password reset link sent to their email address. To avoid abuse of password resets by third parties, do not reset a user's actual password. The reset link should take the user to an authenticated screen that allows them to change the current password themselves.

Lesson Summary[edit | edit source]

• An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server.^[1]
• Cookies are stored on your computer by websites via the browser. When you revisit a site, the browser sends those cookies to that site so that the site can serve you customized information based on your previous activity on the site.^[2]
• Cookies are used to store personalization preferences and track user behavior on a site. They can be viewed using a web developers’ tool and looking in the cookies pane in your browser.^[3]
• Different types of cookies can be used for specific purposes. Session cookies are available until the browser is closed. Persistent cookies are not removed when the user closes the browser but have an expiration date attribute set. Specifying attributes when setting a cookie can enhance or restrict its use.^[4]
• Salt hashing is a technique in which we take the user entered password and a random string of characters called as salt, hash the combined string with a suitable hashing algorithm and store the result in the database.^[5]
• Tracking cookies, and especially third-party tracking cookies, are commonly used as ways to compile long-term records of individuals' browsing history.^[6]

Key Terms[edit | edit source]

authentication

Occurs after we have registered a credential with a website. The credential is just a keypair, the relying party can send some data to the user to verify their identity via the user’s authenticator.^[7]

cookie

Piece of data stored on users computer/web browser by the web browser.^[8]

session

A series of related browser requests that come from the same client during a certain time period.^[9]

See Also[edit | edit source]

• HTML.com: The Ultimate Guide to Cookies
• jscrambler: Best Practices for Secure Session Management in Node
• tutorialspoint: ExpressJS - Cookies
• tutorialspoint: ExpressJS - Sessions

References[edit | edit source]