DEV Community

Cover image for HTTP Sessions + Cookies
Cielo Raymundo
Cielo Raymundo

Posted on • Updated on

HTTP Sessions + Cookies

Before we get into what are HTTP sessions and cookies we must understand what “stateful” and “stateless” mean in an application.

Stateful:

For an application to be stateful it means that it has “knowledge” of past actions, as if it is keeping records. In statefulness this knowledge is being stored between requests of clients and servers. But because of this stateful apps have to stay in a selected instance since the information will not be available elsewhere.

Stateless:

While in a stateless application there isn’t a designated place in which this knowledge will be stored. Although there isn’t a place for the app to store its data of user server interaction, the user is able to use any instances of the app without seeing any difference as if it was stateful.

What are HTTP Sessions?

HTTP stands for HyperText Transfer Protocol, which is used all throughout the web. This protocol is stateless, so it doesn’t store any data. This itself is a problem that software engineers had to get around since they need certain data from the user in order for their web applications to work correctly. In order to do this the concept of “sessions” on top of HTTP came, these sessions are used to store information so that servers could recognize multiple requests from the same user.

Http sessions are now used throughout the internet as a standard feature that allows web servers to store data (requests/response interactions) between the users and the servers. They store information based on that specific session like: session identifier, creation time, last time accessed etc. they also store information about the user like: user login state, and other data the application may need from the user.

What are cookies?

A cookie is a small piece of data that a server sends to the user's web browser. The browser is able to store it and send it back with requests being made to the same server. Cookies are mainly used to check if the requests come from the same web browser. This helps see if a certain user is logged in in any application.

How do they work together?

Sessions can be implemented using cookies. When a new user sends a request to a web server, they are sending it without a session cookie. Because of this the server will start a new session for that user by sending a new session cookie header. This happens when the server sends a response, the server will serialize and encrypt the session data then it will include it in the response header. By having the sessions use cookies the server will be able to recognize the requests that are part of the same sequence of events. This allows servers to recognize which user all requests belong to no matter if other browsers are connected to the same server with the same ip address. The only problem with using cookies for your http session is that you can only save a small bit of data. Since a cookie is sent by the browser with every single request, no matter if the data is needed or not the storing of data can become expensive. Because of this, trying to save large bits of data onto a cookie will cause the requests much slower.

Brief Overview:

Http is stateless so it can’t keep any data of interactions that have happened. In order to solve this problem “sessions” were created on top of http. Sessions essentially allow you to keep data from the session itself and information about the user in the current session. Sessions can be applied using cookies, which keep in minimal information but are enough to see who all the requests being made belong to.

Top comments (0)