16 Jan 2023
Cookies are saved when you recieve a “Set-Cookie” header from a web server. Every subsequent request to the server, the cookie gets sent along with. HTTP is stateless, so cookies can remind the server who you are, what personal settings for the website may be set, or whether you have visited the website before. Sample exchange:
GET / HTTP/1.1
Host: cookies.thm
User-Agent: xxxx
Client requests the webpage from cookies.thm.
HTTP/1.1 200 OK
Server: nginx/1.15.8
Date: Wed, 14 Apr 2021 09:08:19 GMT
Content-Type: text/html; charset=UTF-8
HTML DATA.....
Server responds with a simple webpage with a form asking for the user’s name.
POST / HTTP/1.1
Host: cookies.thm
User-Agent: xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 9
name=adam
Client sends back form with the name set to adam.
HTTP/1.1 200 OK
Server: nginx/1.15.8
Date: Wed, 14 Apr 2021 09:08:19 GMT
Set-Cookie: name=adam
Content-Type: text/html; charset-UTF-8
HTML DATA.....
Server responds with a Set-Cookie header telling the client to save the data name=adam.
GET / HTTP/1.1
Host: cookies.thm
User-Agent: xxxx
Cookie: name=adam
Every subsequent request to the server the client sends the cookie data back to the server.
HTTP/1.1 200 OK
Server: nginx/1.15.8
Date: Wed, 14 Apr 2021 09:08:19 GMT
Content-Type: test/html; charset=UTF-8
<html><body>Welcome back adam</body></html>
Server sees the cookie data and displays a welcome back message instead of the form again.
Cookies are most commonly used for website authentication, but can be used for many other purposes. Cookie value isn’t usually clear-text like example, but should be a uniqe token not easily human guessable.
Can view through Web Developer Tools (F12, Inspect Element, etc.) by looking under the network tab, then clicking on requests and looking for cookies in the details.