Session vs Cookie and their relationship in web applications!

When you work with web application projects or internet environments, whether it is Frontend, Backend or DevOps, you need to understand Session & Cookie.

Understand to apply for storing local data on the Frontend side on browsers and its limitations or GET / SET their values on the servers side before sending to the client or control it in DevOps tasks when configuring Load Balancing System

Understand to control or fix bugs as well as share data stored in them between tabs in the same browser

Understand to know how to prevent and guard against hacking from a security perspective

What is a Session?

A session is used to save information on the server momentarily so that it may be utilized across various pages of the website. It is the overall amount of time spent on an activity. The user session begins when the user logs in to a specific network application and ends when the user logs out of the program or shuts down the machine.

Session values are far more secure since they are saved in binary or encrypted form and can only be decoded on the server. When the user shuts down the machine or logs out of the program, the session values are automatically deleted. We must save the values in the database to keep them forever.

What is a Cookie?

A cookie is a small text file that is saved on the user's computer. The maximum file size for a cookie is 4KB. It is also known as an HTTP cookie, a web cookie, or an internet cookie. When a user first visits a website, the site sends data packets to the user’s computer in the form of a cookie.

The information stored in cookies is not safe since it is kept on the client side in a text format that anybody can see. We can activate or disable cookies based on our needs.

Cookie is "Host Only" then the question is if it can be accessed within the same domain, what about different domains or sharing Cookies to other domains? And the answer is the “domain match” attribute or in other words, when creating a Cookie, you need to add an attribute named "domain" so that the domain set in this attribute has access rights

e.g you are running a website on the domain "learn-cookie.com" and want to share the domain "learn-session.com" to access the Cookie named "check-auth", do the following:

Set-Cookie: name=check-auth; domain=learn-session.com        

Or allow all sub-domain of domain "learn-cookie.com" to access same Cookie, just add dot "." before domain name

Set-Cookie: name=check-auth; domain=.learn-cookie.com        

Difference Between Session and Cookies

Their connection?

• We've talked a lot about Session & Cookie, so how are they related when Cookies are created and used in browsers (or clients) in Session, not only does it store the working session of active tabs or browsers but it also relates to the connection to the Server?
• Do you wonder how the server knows which user (client) is connected to the server? Or in the Load Balancing system, there is only 1 server that receives all requests and then redirects to the node and in this model, the error "Session Stickiness" is very common, so what is it and how to fix it
• I'm sure that in many documents, this is not mentioned, the important relationship between Client - Server, Cookie & Session is very important because when connecting for the first time, the Server will create a new session (default saved in the /tmp folder with OS is Unix or Linux) and will send "ID" or "SESSION_ID" to the Client and will save in Cookie, so that the next time the Client calls the Server, it will attach a Cookie containing the Session ID, and this is very important in the Load Balancing model, and the Server relies on this to know or verify the Client (Session on the Server is only created once when the connection is successful and kept until the connection is disconnected and the Server will manage to delete it)
• Understanding this will know the error "Session Stickiness" and how to fix it, this error is because when you connect to the Server for the first time, it is Loaded Balancing (LB) redirects to NODE 1 (here a new session and response headers will be created) but the second time onwards, the request continues but LB redirects to NODE N, then there will be no Cookie on the header, which means the connection is the first time and a new session and response header will be created.
• I will give a typical example for easy visualization, you have successfully logged into the system but after clicking back and forth for a while, it suddenly reports that you have not logged in or you need to log in to access while your login session is 8 hours or longer, the reason is that when you successfully log in, you are at NODE A but a moment later you are redirected to NODE B and there is no header information here, so you are considered to be connecting for the first time (how to fix and apply, I will not talk much here because it is a long topic about Server and depends on each application)