In my previous understanding, for a web site, only login user of a web site (no matter what login/authentication approach is used) could have cookie as persistent identifier, so that if the user close the browser, open browser again to go to the same web site, the web site could remember the user.
But I learned recently that it seems for non-login user, there could still be a cookie associated with the user (after the user close browser, and then open the browser again to go to the same web site, the web site could remember the user), and it is called browser cookie? Is that true?
If it is true, who is responsible to set the browser cookie? i.e. need some coding/config at web server side, client browser configuration (without coding from server side), or both? How could web server access such cookie? Appreciate if any code samples.
thanks in advance,
George
Whether you actually “log in” or not is irrelevant to what cookies are stored.
If the browser requests a page, and the server includes a Set-Cookie response header, then the browser will store the value of that cookie in a local cache and every time it requests a page from the same server, it sends the value of the cookie back as well (in the
Cookierequest header).It just so happens that when you “log in” to a website, the website will usually use the
Set-Cookieheader to tell the browser to store a value that indicates that you’re already logged in (and your user-id and some other security-related stuff). But there’s nothing stopping the web server from usingSet-Cookieat any other time.