why most of the website cannot work without cookies? [closed]

About

Asked 2/12, 2016 at 11:53 Answered 2/12, 2016 at 11:55

Solved session cookies browser local-storage session-storage

Recently I got person ask me why our website doesn't work without cookies. My explanation is we need to save tokens and some reference in cookie, So that later on we can use it to make requests and there is limit options that we can use to save data in browser. But he doesn't satisfied with my answer and I also think there is a few options that we can make it work instead of using cookies/localStorage/sessionStorage.

My question is why most of the website cannot work without cookies? Can we make the website works without any storage in the browser?

Conceited answered 2/12, 2016 at 11:53 Comment(0)

Using cookies allows your website to remember the user (e.g. last login, avoiding having to login again) and offer corresponding benefits to them and you (e.g. tracking usage/interest, advertising). If you don't want these benefits then of course you can deliver a website which doesn't use cookies. If the website needs a login they will have to login on every different page viewed.

Spool answered 2/12, 2016 at 11:55 Comment(6)

Think. How does your server know a request is from the user who authenticated a minute ago for a "session"? It is the cookie you sent the user's browser when he authenticated a minute ago, which is sent by the browser on the next request which tells you that. No cookies=no session any more. I suppose you could hope that a request from a previously-authenticated IP address is the same user - but that will also authenticate every user behind the same NAT firewall. And these days 99.999% (guess!) of users are behind NAT firewalls. You can put user-specific info into URLs, like websites used to. – Spool 2/12, 2016 at 12:12

Thank you so much. I understand that the session is also relying on cookies. But like you said there's cookieless sessions which relying on the session id inserted in the URL. Like you mentioned. Is it a bad implementation? Or is it some security reasons? – Conceited 2/12, 2016 at 12:24

If someone else can grab that URL and that is the only authentication then they can pretend to be the original user. Plus, cookies don't need the website to implement all that messy url-generation - they are simpler and more effective. Put it this way, cookies are used everywhere because they are an effective solution. – Spool 2/12, 2016 at 12:27

Thank you.I feel I'm a bit annoying haha. But I really want to understand it clearly. So if people copy over the cookie wouldn't it be the same as copying over the URL? So the main reason that everyone use cookies is because it's an effective solution? – Conceited 2/12, 2016 at 12:33

Nothing is perfect. Cookies are securely stored in your browser, and if the user doesn't erase them (which should effectively happen when the logout from your website, the session gets marked as closed so the cookie can't be used to validate a request as being part of an ongoing session) then yes I can use my wife's PC and user her browser which still has her amazon cookie not logged out and user her login. Cookies are transferred over SSL - you could argue so is a user-specific URL, but a user-specific URL could be used from anywhere, the cookie is only stored in the browser the user uses. – Spool 2/12, 2016 at 12:52

Cool. Thanks a lot. – Conceited 2/12, 2016 at 12:58

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags