5

I thought cookies are stored on client side only, as files. Then I realize if cookies are not stored on server side, how could a server match a cookie just received from a client to some session or other information created in the past?

So is it correct that cookie information is also stored on the server side?

How does a server store cookie information?

I have searched about "client side cookie" and "server side cookie" and reached several discussions including

Thanks.

Tim
  • 617
  • 2
  • 7
  • 16
  • How is this a security question? Apart from that cookies might contain all the information so that no server side storage is needed since everything can be extracted from the cookie itself. – Steffen Ullrich Feb 10 '20 at 10:34
  • Sorry. How shall I phrase it as security question? If no cookie storage on server side, how can server identify a new request is from the same user as some previous requests, without memory of the previous requests coming from some user? – Tim Feb 10 '20 at 10:39
  • This question suggests to me that you don't yet understand how cookies work. In the simplest form, the server stores a large random value on the client "A6726BD7EE0C" in a cookie AND in a database table along with the user id. When the client requests again with the cookie, the server does a lookup in the database to get the user-id. If the lookup fails, the user needs to log in. The more complicated version requires you to look at https://jwt.io/ and to understand federated trust, PKI, and assymetric cryptography. – Kind Contributor Feb 15 '20 at 05:02

1 Answers1

7

This is a great security question. One must understand the mechanics of what they work with to ensure they are building secure software.

Security

There is no added significant security risk when a server has access to cookie information. Servers are already a privileged system that needs to be strongly protected.

[Comment] ...how can [a] server identify a new request is from the same user as some previous requests, without memory of the previous requests coming from some user...?

If the server stores encrypted or signed data in a client-side cookie, the server can verify that. It can deduce that only an authorised server could have stored that cookie.

A good modern example of this is JWT - https://jwt.io/. They can be sent in a cookie, but typically they go into the authorization header for a Web API HTTP Request. If you understand JWT more, you can understand the cryptographic principles that can be deployed with simpler mechanisms for smaller amounts of data in cookies.

Knowledge

how could a server match a cookie just received from a client to some session or other information created in the past?

Cookies are stored in the client's browser with a timeout after which they are deleted. Upon every HTTP request to the server, they are sent to the server automatically. The cookie is usually set by the server, not the client (but it's possible).

The server typically uses the direct value, or decrypts a value for a local database lookup. For example, the UserID value could be stored in the cookie encrypted.

A key architectural reason for using cookies, is to maintain a session linked to the identity of the user. They are also used as a type of distributed data store, so the server has this information already upon HTTP Request without having to look it up on disk/db which incurs latency.

A session might be associated with a key (GUID) in memory on the web server, or it could be a key for a new session record in a database. In both cases, the key is relayed by cookie.

How does a server store cookie information?

The server MAY store them, but that's not how people view them conceptually. In a way the server does store the data - a session key is the primary key of a record (database or hashed dictionary lookup). For an encrypted UserID, the server-side does have they key too. In a way, the client isn't "storing" it, it's more like a copy of a key. But it is possible, and likely occurs, that clients store distinct information that isn't persisted on the server-side.

is it true that a server always has records of cookie info?

No. Here are some scenarios where the server doesn't have records of the cookie info:

  • Javascript on the client-side sets a cookie. Eg. "OrganisationID=10" indicating that the user has changed organisation context across all browser tabs.
  • Server encrypts some data for the user to hold onto. Eg. "Roles=Admin,Developer,Staff" so that the server can enforce roles on functions without needing to do a lookup on the database

Although the server-side doesn't always have that information somewhere it usually does, because cookies are used for context. When there is a HTTP Request, the server needs to know who it's coming from, what roles they are authorized to use, and whether they have been seen before.

  • I was about to write my own answer, but it would pretty much have copied just that. –  Feb 10 '20 at 11:40
  • Does that mean if I copy my cookies for Facebook from one browser to another browser, even on another computer, it would log me in to Facebook? – personjerry Feb 10 '20 at 12:36
  • Thanks. Does your reply mean that a server always has records of cookie info, either storing it in a file or database or keeping it in memory? – Tim Feb 10 '20 at 13:42
  • 1
    @Tim It depends on the kind of cookie. As the answer suggests, regular session IDs need to be kept in a database of the server so that the server can tell which user the session ID is associated with. –  Feb 10 '20 at 14:48
  • @MechMK1 Thanks. My question is: does a server always have records of cookie info, whether in memory or file/database? When does a server not have any record of the information stored on a client-side cookie file – Tim Feb 10 '20 at 15:02
  • @Tim "When does a server not have any record of.." - A good modern example of this is a JWT. – Kind Contributor Feb 11 '20 at 02:17
  • @personjerry RE: Copying cookies. In theory yes, but I'm not sure how facebook security works. They might use cookies, they might use JWT bearer tokens. They might link your token to your User-Agent (different browsers have different agents). But you are generally correct in considering this possible security risk - this is why cookies have expiry to reduce the risk (but it doesn't eliminate the risk). However, if someone has access to your computer to copy your cookies, they can already do alot. – Kind Contributor Feb 11 '20 at 02:20
  • @todd isn't JWT for token based authentication? I am asking about whether it is true that a server always has records of cookie info? Also see https://security.stackexchange.com/questions/225673/is-session-cookie-based-authentication-stateful-or-stateless – Tim Feb 11 '20 at 03:18
  • @Tim I have added a new section at the end to answer your followup question more directly – Kind Contributor Feb 11 '20 at 03:53