Day 27: Cookies & Sessions
🍪 Cookies & Sessions – Complete Beginner Guide
Aaj ke session me hum samjhenge ki Cookies aur Sessions kya hote hain, kaise kaam karte hain, aur Bug Hunting me inka kya role hota hai.
Jab aap kisi website par login karte ho (jaise Facebook, Gmail, ya Amazon), to website kaise yaad rakhti hai ki aap login ho?
👉 Ye kaam Cookies aur Sessions karte hain.
🍪 1. Cookies Kya Hote Hain?
Cookies chhoti si data file hoti hai jo browser me store hoti hai.
Example:
Login information
User preferences (Dark mode, Language)
Tracking data
Jab aap website visit karte ho, server browser ko cookie bhejta hai.
Browser us cookie ko save karta hai aur har request ke saath wapas server ko bhejta hai.
🔹 Cookie Types
Session Cookies – Browser band karte hi delete
Persistent Cookies – Expiry date tak stored
Secure Cookies – Sirf HTTPS par send
HttpOnly Cookies – JavaScript access nahi kar sakta
🖼 Example: Cookie Flow Diagram
User Login → Server Generate Cookie → Browser Save Cookie →
Browser Har Request me Cookie Send karega → Server User ko Identify karega
🔐 2. Sessions Kya Hote Hain?
Session server side par store hota hai.
Jab user login karta hai:
Server ek Session ID generate karta hai
Session ID browser ko cookie ke through bhejta hai
Server apne database me user ka data session ke saath store karta hai
👉 Browser me sirf Session ID hoti hai, actual data server par hota hai.
🔄 Cookies vs Sessions (Comparison Table)
| Feature | Cookies | Sessions |
|---|---|---|
| Storage | Browser | Server |
| Security | Kam secure | Zyada secure |
| Size Limit | 4KB approx | No strict limit |
| Expiry | Manual set | Session end par |
🐞 Bug Hunting Me Importance
Bug hunters ke liye cookies aur sessions bahut important hote hain.
🔴 1. Session Hijacking
Agar attacker kisi ka session ID chura le, to wo victim ke account me login ho sakta hai.
🔴 2. Cookie Manipulation
Kabhi kabhi developers sensitive data cookie me store kar dete hain (jaise role=admin).
Agar attacker cookie edit kar sake → privilege escalation ho sakta hai.
🔴 3. Missing Security Flags
Check kare:
Secure flag laga hai?
HttpOnly enabled hai?
SameSite attribute present hai?
🛠 Tools to Check Cookies
Browser DevTools (Application Tab)
Burp Suite
OWASP ZAP
📌 Practical Task
Kisi website me login kare
Browser me DevTools open kare
Application → Cookies section dekhe
Observe kare:
Session ID ka naam
Expiry
Secure / HttpOnly flags
🎯 Summary
✔ Cookies = Client side storage
✔ Sessions = Server side storage
✔ Session ID = Authentication ka key
✔ Bug Hunting me Session hijacking & cookie tampering common issues hain