SYS.MEM.ALLOC
0x0000
NET.UPLINK
ESTABLISHING
SEC.PROTOCOL
AWAITING
DATA.STREAM
0.0.0.0
0%
INITIALIZING SYSTEM
[
]
Portfolio Learn Month 02 Networking Basics

🍪 Day 17: HTTP Cookies and Sessions

Networking Web Cookies

A cookie is just a storage box inside the browser. It's the "Identity Card" that proves who you are after you've already logged in. 🍪

📦 1. What is a Cookie?

A cookie is a storage mechanism inside the browser. When you login, the server gives you a Session ID which is stored in the browser's cookie storage.

Important Distinction: A cookie itself is just the bucket; the Session ID is the water inside.

While common usage often calls the whole thing a "cookie," the real authentication happens via the Session ID. Cookies can also store behaviors, preferences, and time zones.

Hacker Insight: Session Fixation
I used to wonder: "If the server gives the session ID after login, how can a hacker fixate it?"
The Answer: Most sites give you a "guest" session ID the moment you visit. If you login while using that ID, it binds to your account. This is the logic flaw hackers exploit!

🕒 2. Sessions

A Session is the server-side record of your visit. It links your Session ID to your specific data (username, last login, time zone, OS).

session_id        username        last_login              time_zone    OS
abc123xyz!@#45    usman           12-03-2026 (7:02 AM)    Karachi PK   Windows

🔍 3. Login Tracking

Login tracking is a security mechanism used to monitor unusual activity. It compares your current session data with previous logs to ensure your account hasn't been hijacked.

⚡ 4. Common Attacks

🕵️‍♂️ 1. Session Hijacking

The attacker steals your session_id (via XSS or network sniffing) to impersonate you.

⚓ 2. Session Fixation

The attacker "fixes" your session ID before you even login:

  1. Attacker gets a valid guest session ID.
  2. Attacker sends a link: http://site.com/login?SID=HACKER_KEY.
  3. Victim logs in using that link.
  4. The server binds the victim's account to the HACKER_KEY.
  5. Attacker refreshes their page and is now logged in as the victim.

🛡️ 5. Cookie Security (The Flags)

To keep hackers from stealing your "claim ticket," we use Flags. These are extra rules we give the browser:

Flag What it does Real-Life Example
HttpOnly Prevents JavaScript from reading the cookie. The ticket is kept in a locked glass box; you can show it, but nobody can touch it or copy it.
Secure Only sends the cookie over encrypted (HTTPS) connections. The ticket can only be shown if you are inside a private, secure room.
SameSite Controls if cookies are sent when clicking links from other websites. You can only use your coat-check ticket if you are physically standing in the correct theater.
← Day-16, HTTP Headers - Part2 Day-18, HTTP Authentication →