Quiz
- What kind of information should we collect from a user in a cookie, or is it dependent on the web app we build?
It depends on the app. One app might have a "shopping cart," stored in a cookie, while for another app that wouldn't apply.
- Do we need to have login/logout to have sessions?
No, though that's probably the most intuitive example. Anything where there's continuity over a sequence of interactions. If I go to a class list application and specify that I'm interested in my class list for fall 2024, and it shows me CS 304 and CS 204, and look at CS 304 and then I don't have to tell it again that I'm interested in fall 2024, that would be nice.
And you could do that with a cookie.
- Do cookies always have to be stored to remember a user's login?
There are alternatives, such as URL rewriting, but cookies are the most common and convenient.
Fun trivia fact: in The Matrix, Neo had to accept a cookie from the Oracle before she would talk to him. Many people think this is a tech joke.
- Since cookies aren't secure, how do we handle if there's sensitive data?
Great question. There are several options:
- keep the sensitive data on the server and never let it out of your control. E.g. passwords, SSN, credit card numbers.
- If you have to send it somewhere, make sure it's encrypted
- How does flask make sure that session data is reliable if cookies are not secure?
It digitally signs (but doesn't encrypt) the session data. So, if the user tampers with the data, that can be detected and the tainted cookie can be discarded.
- Why do we delete cookies at the end of the session? I thought we usually save them
Depends on the cookie. If it's a cookie that says who is logged in, you would want to delete that or set it to the empty string to indicate that the person is no longer logged in.
But, yeah, other data could be kept.
- Can any data be stored in cookies?
Well, they are limited in size, so you're not going to store a profile picture in the cookie, even if you converted the picture to text, say by UU encoding or Base64 encoding.
But reasonable amounts of text (or anything that can be converted to text) could be stored.
- How does one determine how long the cookies stay until they expire? Particularly in cases where it might stay for years.
It depends on the application, but generally, application usage falls in one of two categories:
- where they want continuity over a sequence of actions that then ends, say when the user logs out. Banking, email, etc. These usually expire in a few minutes. It seems like I have to login to Wellesley's portal 4-5 times a day.
- where they want to remember you essentially forever. Shopping, advertising, etc. These probably expire far in the future.
- How much data is being stored about a user if an application has been using a cookie for your data for years?
Cookies are limited in size. In many applications, such as Google Analytics, the cookie is just a unique identifier that is a key in some database. The database could store a lot of stuff.