Skip to main content

HTTP Sessions

Some websites use sessions to remember their clients across multiple requests. These sessions are essentially IDs with which the server identifies clients. For example, PHP uses a cookie called PHPSESSID. It contains a random large number.

Sessions are usually short-lived, which makes them ideal for storing temporary states between pages. Sessions also expire once the user closes his browser or after a predefined amount of time (for example, 30 minutes).

The basic workflow is:

  1. The server starts a new session (sets a cookie via the HTTP Cookie header).
  2. The server sets a new session variable (stored on the server-side).
  3. When the client changes the page, it sends all the cookies in the request, along with the session ID from step 1.
  4. The server reads the session ID from the cookie.
  5. The server matches the session ID with the entries of a local list (in-memory, text file etc.).
  6. If the server finds a match, it reads the stored variables. For PHP, these variables will become available in the superglobal variable $_SESSION.
  7. If the server doesn't find a match, it will create a new session and repeat steps 1-6.

Session lifecycle

Example of a session in PHP (running on the server):

<?php
    session_start(); // Start the session
    $_SESSION['username'] = "John Doe";
    $_SESSION['is_admin'] = true;
    echo "Hello " . $_SESSION['username'];
?>

Sessions in the CLI

Guess who's back? curl, of course. We can save the cookies sent by a server in a cookie jar. Remember this concept. Python uses it too. It's not too sophisticated, either. A cookie jar is a file that contains cookies.

To save the cookies in a file, we use the -c <file name> option:

root@kali:~# curl -c cookies.txt $URL
[...]

root@kali:~# cat cookies.txt
# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

sample.domain.com FALSE / FALSE 1656864260 something nothing

Each entry in a cookies file represents a cookie. Its layout is:

<domain> <include subdomains> <path> <HTTPS only> <expires at> <cookie name> <cookie value>

We are free to modify this cookies file however we want. As you can see, this file has a very specific format. It's better to let curl generate it first to make sure it's correct and only then edit it ourselves. Then, in order to use these cookies in a subsequent request, we use the -b parameter:

root@kali:~# curl -b cookies.txt $URL

Notice it's the same parameter we used to send cookies manually. When the argument is a file, curl reads the cookies form the file. Otherwise, it reads them from the argument itself as strings.

Sessions in Python

In order to send HTTP requests in Python, we can import the requests module. Then, we simply create a session object which we then use to send requests. This object also maintains the session cookies. They are accessible via session.cookies.

s = requests.Session()

# Set the value of the `something` cookie to `nothing`.
s.cookies.set('something', 'nothing')

# Send a `GET` request with the above cookie.
s.get($URL)