HTTP is a stateless protocol, which means that no state or persistent information is stored and each request is executed independently. By using cookies to store and exchange information between requests, session-based HTTP/HTTPS communication can be established, which is both beneficial and convenient for the user experience.
Cookies can be stored temporarily for only a single session, or persistent to be used to keep information between different sessions to allow for a session-spanning experience. The difference between temporary cookies and permanent cookies is, that persistent cookies have an expiry date and are stored on the disk while temporary cookies are kept in memory.
- Temporary and persistent cookies can be used for example to:
- (persistent) store user preferences or the content of a shopping cart.
- (persistent) restore user preferences and language settings.
- (persistent) keep the login status of a user (see also IAM Remember-me functionality).
- (temporary) session cookies.
The web applications and the gateway create dedicated cookies for various purposes:
- Web application cookies from a back-end:
- Temporary cookies e.g. session cookies.
- Persistent cookies e.g. cookies with user preferences, the content of a shopping cart, or the login status of a user (see also IAM Remember-me functionality).
- Gateway cookies:
- Between client and gateway
- Gateway session cookies
- Load balancing cookies
- Between gateway and web application
- Control cookies, created by the web application
- Environment cookies, created by the gateway
In the simplest configuration, without a gateway between the client's browser and the web application, cookies created by the web application are sent with every request between the browser and the web application. This potentially allows attackers to steal and misuse personal cookie information or could lead to other risks like cross-site scripting (XSS) or cross-site-request-forgery (CSRF) attacks.