← Back to Topics

Web Session Cookies

This cluster centers on debates about using cookies for web session management, including server-side vs. client-side sessions, security risks like XSS and session hijacking, and alternatives such as HTTP Auth or localStorage.

📉 Falling 0.4x Web Development
3,573
Comments
20
Years Active
5
Top Authors
#4640
Topic ID

Activity Over Time

2007
21
2008
53
2009
80
2010
152
2011
140
2012
265
2013
322
2014
159
2015
165
2016
172
2017
158
2018
186
2019
185
2020
243
2021
291
2022
290
2023
280
2024
200
2025
205
2026
6

Top Contributors

tptacek (14) Dylan16807 (13) EGreg (12) IgorPartola (11) kijin (11)

Keywords

e.g c.htm DB HttpOnly BaseAuth ID HTTP OS4 rkeene.org zaiste.net session cookie cookies sessions token user client used use attacker xss

Sample Comments

dasil003 Jan 29, 2025 View on HN

I think he's talking about a server-side session store (or perhaps an encrypted cookie payload)

jarin Mar 27, 2012 View on HN

What's the difference between this and just storing a long session ID in cookies?

sebazzz Jul 24, 2018 View on HN

That still keeps the session and login cookie vulnerable right?

SoftTalker Jun 7, 2025 View on HN

There are ways to maintain a session without a cookie, but cookie is very convenient so that is mostly what is used.

chaxor Mar 1, 2022 View on HN

Use Session. It's just as easy, and more secure + decentralized. So it's better in just about every way.

aston Feb 7, 2008 View on HN

Hint: many web stacks suppport server-side sessions. Via cookies.

joelthelion Mar 8, 2014 View on HN

Wouldn't a secure cookie be enough for this?

takeda Sep 26, 2019 View on HN

Session support is what cookies were supposed to solve, a proper support would make things simpler and not allow to abuse cookies for other things.

tptacek Oct 29, 2010 View on HN

What's the browser app scenario in which having a session is a liability, but having a stored HTTP Auth credential isn't?

terabytest Oct 14, 2013 View on HN

Is this valid even if you use session instead of cookie?