Do websites like Facebook store logged in users in cookies or sessions?
Question
Do websites like Facebook store logged in users in cookies (client side) or sessions (server side)? My tests indicate that they do the first.
5 answers
solution1
12 2011-12-17 20:37:27
Generally, sensitive information like which user is currently logged in must be stored on server side - remember, cookies can be freely read and altered by the user.
What you are probably seeing is the session cookie that ties a specific client to a specific session on the server - that is so the server knows which session to use for you. In this case, the only thing the cookie contains is a long, random session ID - it's long and random so it can't be easily guessed by an attacker.
The act of stealing another user's session cookie is called session hijacking .
Additional info:
- Cookie VS Session
- Session chapter in the PHP manual
solution2
4 2015-02-23 01:45:50
I think the idea behind $_sessions is it's much faster and efficient for the server to process its own information, rather than receive bulk information from the client.
Look at it this way:
You (the server) and a friend (the client) are gossiping about your other friend Cindy, does you friend give you every detail of information about her (hair color, height, etc...)? No, that would be a waste of time. It's much faster for you to process the information you already know about Cindy (on the $_session file, server-side) and only receive unique information ( $_cookies ) from your friend (the client).
Efficient: "Hey, did you hear what Cindy did last night?"
NOT efficient: "Hey did you hear what Cindy with brown hair, blue eye, medium build, etc... did last night?"
Obviously, this doesn't fully summarize $_sessions and $_cookies , but maybe it will help someone understand efficient short-term data management.
solution3
3 2011-12-17 20:38:26
They use server-side sessions in conjunction with a cookie.
The cookie holds an ID, this ID is sent to FaceBook and the server checks the details for the session with that ID.
solution4
0 2015-06-21 15:27:02
They probalby use sessions and then store some information into cookies, like, user_id is logged in with session_id = .../ then check in session for that session_id to see if the user is still logged in. I think it is a waste of resources. In my opinion i store critical info into sessions and big info into cookies
solution5
0 2018-05-26 14:36:01
I think Server-Side session data stores. If you want to store user data persistently, you'll need to write it into a server-side data store (eg, a relational database, a NoSQL key-value store, etc.). The lookup key will typically be either a cookie ID or a login ID. To speed up lookups, you can put a caching layer in front of it (eg, Memcache, Redis). The advantage is that you can store an arbitrarily large / complex set of per-user data.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.