Converting one value to another value by applying an arbitrary operation.
It should not take long to calculate the hash value.
Every value must have a unique hash value.
Even a very small change should have a different hash value.
When a client requests information from the server, Random password is set and requested.
Server receives information from the client and DB, compares the requested data and the randomly set password to see if they are the same, and if password match, the server responds with the information received from the DB to the client.
Encryption is the process of managing information using an algorithm by transforming. Set of information into another form using a random method so that it cannot be understood except by the person who owns the information.
Adding some extra value to what needs to be encrypted.
In case of encryption only, the hashed result is always the same.
In case of using the Salt algorithm, stronger protection can be achieved by adding an extra value to the existing hash value.
One of the ways the Server stores data on the Client.
(If the server wants, the server can use cookies to get data from the client.)
So, cookies don't just mean sending data from server to client, it also includes sending cookies from client to server.
The Server passes the Set-Cookie value to the client, and the client uses the cookie when sending a request to the server based on the received cookie.
Domain: Defines the host to which the cookie will be sent. If omitted, this attribute defaults to the host of the current document URL, not including subdomains.
Path: Indicates the path that must exist in the requested URL for the browser to send the Cookie header. The forward slash (/) character is interpreted as a directory separator, and subdirectories are matched as well.
ex) Path=/docs
/docs
/docs/Web/
/docs/Web/HTTP
will all match.
If you do not log out in a public place, there is a possibility that someone may steal cookies, so Server can specify automatic destruction after a certain period of time.
HttpOnly: Determining whether a script can access cookies
Secure: Indicates that the cookie is sent to the server only when a request is made with the https: scheme (except on localhost), and therefore, is more resistant to man-in-the-middle attacks.
SameSite: Controls whether or not a cookie is sent with cross-origin requests.
ex) The possible attribute values are:
SameSite: Strict (Cookies cannot be sent)
SameSite: Lax (Only GET method requests can send cookies)
SameSite: None (Cookies can be sent for all method requests, but the Secure option is absolutely necessary for safety.)
SameSite allows you to defend against CSRF attacks.
CSRF?
Cross Site Request Forgery - Manipulating requests from specific addresses on other sites
ex) Money is deducted from my account when I click a link in spam
Login using by cookies
Predictable request path
Use CSRF tokens.
Using SameSite Options
The Server sends a cookie containing authentication information to the Client, and the Client received cookie along with the request to keep a stateless Internet connection stateful.
Cookies can sustained for a long time, but store sensitive information is risky because cookies can be possibility of lose.