The role of cookies in session management

Are you in a confusion about cookie vs session? Simply, the cookie is used to track the user information on the client side, whereas the session is used to track the user information on the server side.

Since the HTTP protocol is stateless, implementing session management in a web application is inevitable, if it involves user interactions. In simple terms, the server will not be able to identify the user who makes the interaction without session management.

Let’s directly jump into the topic and see how the cookies are contributing to the session management.

The authentication flow on Facebook without the cookies

1. Bob accesses facebook.com on his browser and provides the credentials on the login page to authenticate to facebook.com — Facebook creates a session for Bob on the server.
2. Alice accesses facebook.com on her browser and provides the credentials on the login page to authenticate to facebook.com — Facebook creates a session for Alice on the server.
3. Currently, Facebook has the sessions of 2 users: Bob and Alice. If Bob interacts with Facebook, how will Facebook identify whether it’s Bob or Alice?

That’s where the cookie comes into play in session management!

The authentication flow on facebook with the cookies

Once an authenticated session is created for Bob on Facebook, it responds back with a set-cookie header, which stores the cookie on Bob’s browser.

A sample set-cookie response header, which sets the c_user cookie returned by Facebook

Similarly, with the set-cookie header returned for Alice, the c_user cookie will be stored on Alice’s browser.

Now, both Bob and Alice are having their own cookies created on their browsers. Therefore, if Bob accesses Facebook, the c_user cookie will also be sent with the request to Facebook, which will be used by Facebook to identify the session stored on the server. Once the session is identified for the particular request, Facebook will be able to identify the user who interacts with Facebook and return the data of the particular user.

It’s the browser’s responsibility to send whatever the cookies available for the patrticular domain to be sent along with any request made (Indeed, there are several other factors to be considered, whether a cookie should be sent with the request, even if the domain is matching. You may refer to the OWASP document below as a further reference).

Testing for Cookies Attributes

It’s not just the c_user cookie is used to identify the session but there are several other cookies are used by facebook to identify the user session on the browser. You can refer to the blog below to identify the cookies used by facebook.

Facebook Cookies Analysis

A simple question!

The cookies stored on the browser are used to identify the session stored on any server. Then, if you got a chance to obtain the cookies stored in Bob’s browser (by manipulating Bob) and store them in your browser, which user’s profile you’ll be seeing on your browser?

Indeed, it’ll be Bob’s profile (Try it by obtaining the cookies of another user’s browser for the facebook domain 😉).

Takeaway: Never share your cookies or provide access to your browser. Anyone can gain access to any of your accounts and keep using them until the particular session expires. Implementing MFA will not prevent this, since the cookies are reflections of perfectly authenticated sessions (the cookies are created after the user is authenticated successfully with all the MFA steps) — If you’ve shared the cookies, it implies you’ve shared your fully authenticated session.

Find this on my blog!