Many Pies

Many Pies

Friday, February 22, 2013

What does it mean to be logged in?

The last time I got fed up of my lack of knowledge on something I drew a poster about public key encryption. This time it's about what being logged in means. What is prompting this is the fact that more recent updates to Chrome have seemed to make it so that in some cases when Chrome restarts you remain logged in to a website where I'm sure you weren't before. So I'm finding out the different ways that websites keep you logged in. I usually write a complete blog post before I publish it, but this is going to be a public work in progress.

HTTP is stateless. What about headers?
What different technologies keep the fact that you're logged in?
  • cookies - session, time-limited
  • technologies - PHP, ASP, others
  • ASP session state
  • anything else?
When you tick "remember me" what's going on? Is it clear whether it's remembering username and password?
How does the browser remember passwords? Is it secure?
What's going on with Single Sign On? (Ref this video:


If you know about this stuff, and I get something wrong, please tell me, so we can make the world a better place, or at least this blog post. Bear in mind though, that I am simplifying. So when, for example, I say as below "you get a web page back" the proper way of saying that probably is something like "you get an HTTP response" which is in all likelihood a web page, but may not be in every circumstance. However I'm not going to say that, because I'm simplifying.

HTTP is stateless

You ask for a web page, you get a web page. You ask for another, you get that. The server isn't required to keep track of the fact that you asked for one just now. There are ways to get round that, one of which is cookies. I'm logged into a local MediaWiki (the software that Wikipedia runs on) site. Here's the cookie that gets sent to my computer every page I request.

I've obscured some of the strings in case they are a security risk, you never know. So there you can see a couple of relevant variables. PHPSESSID is the PHP way of keeping track of sessions, and bsm_bsm_session (where bsm is the name of my mediawiki instance) is probably a mediawiki specific cookie. __utma and __utmc are Google Analytics tracking. I don't know why they are involved.

This is the site that I first noticed I stayed logged into every time Chrome started up. That cookie is a session cookie, which are supposed to be deleted by the browser every time you shut it down. Chrome chooses not to do this though, if you enable "continue where I left off" in settings. I do that so that my tabs from my previous session are open, and apparently session cookies aren't deleted too, which is a feature.


Which roughly means "how Windows servers do it" (ignoring older technologies). An authentication token is stored in a cookie or a page URL (source).
So what's in that cookie?
What determines whether a cookie or a URL is used?

No comments: