Wen Su

Cookie and Session

Wen-liang Su's photo
Wen-liang Su
·

3 min read

Table of contents

HTTP stateless

To talk this subject, we have to know what is the stateless protocol in HTTP. The stateless protocol means that when the computers communicate with each other, they don’t care their state and all the requests are independent. Their results or records are not store in the browser. So, you have to send the same information to the other computer when you visit the other website and come back the original one, just like the account you have to login again.

Cookie is a part of information that the client side got from the server side and store in the browser. When you visit the same website again, the client side doesn’t need to send the request to get the info from the server. For example, the shop website can know what you put put inside in your cart cause these info were already store in the cookie. it just take out it and render this page to show you.However, cookie is a small text file that save it on user’s computer. So it will be easily to be modified by the third-part software.

For operating the cookie, we can install the cookie-parser first (if your project is build in Express)

npm i cookie-parser

then, run the code as following:

const express = require('express')
const cookie = require("cookie-parser")

const app = express()

app.use(cookie())

cookie(secret, {
    path: '/'
    maxAge: 6000
    secure: true
    httpOnly: true
})

Secret can encrypt the cookie and the option can be :

  1. path: the cookie can affect the path

  2. maxAge: how long the cookie will be delete in seconds

  3. secure: if it is true, it will send by https.

  4. httpOnly: the browser cannot allow the code to modify the cookie

Session

Session can save this part of information into the server. it will give a hash value to encrypt the info (sessionID) and then cookie receive it and set in the browser. So it is more safety to store the private info on the client side and these operation are on the server side cause the third-party software only get the encrypted value and can pass by comparing it on the server.

The framework of express give the middleware to operate the cookie. it need to install the express-session at first:

npm i express-session

then, you can run the code as following:

const express = require("express");

const session = require("express-session")

const app = express();


//session(options)

app.use(session({
  secret: 'This a secret test for Wen', 
  resave: false,
  saveUninitialized: false,
  cookie : {maxAge: 60000, httpOnly: true}
}))

It has a lot of options to choose. the importants are as following:

  1. name: the default is connect.sid but we can customize .

  2. genid: it is a function to call to generate a new session ID.

  3. rolling: the default is false. Each request need to create a cookie.

  4. resave: it will save the session even if it is not to be modified.

  5. saveUninitialized: force to initialize the new session. The default is false.

  6. secret: it is required option !! It is used to sign the sessionID cookie by hash value. (of cause, you can encrypt by self)

  7. cookie: you can operate the option of cookie.

https://ithelp.ithome.com.tw/articles/10187212

https://www.npmjs.com/package/express-session

https://www.geeksforgeeks.org/difference-between-session-and-cookies/

https://blog.hellojcc.tw/introduce-session-and-cookie/

https://blog.techbridge.cc/2019/09/07/session-and-cookie-implementation/

https://www.quora.com/What-does-it-mean-that-%E2%80%98HTTP-is-stateless%E2%80%99

https://www.itread01.com/article/1517291126.html

https://blog.csdn.net/antony1776/article/details/83474496

Node.jspassportExpresscookiesSession