Open In App

If we delete cookies of a site, we can still logged in without logging again

Improve
Improve
Like Article
Like
Save
Share
Report

The facebook is coded in PHP and PHP was launched in 1994. But in PHP, there is a disadvantage i.e if we disable cookies (say in Facebook) the Facebook server will forget the person who has logged in previously and it will take to me that page when that application was launched for the first time. But in Java (JEE Edition, launched in 1999) we have a technique called “URL Encoding” using which we can still log in, even after disabling cookies. So we will show you this, via coding.

There are two videos to describe it.

In the first video, we delete the cookies of Facebook and try to log in again. But it redirected to me to that page, when that application was first launched. And as you can see in the video, the username and password are visible to me. As we delete cookies, the server forgot who you are and redirect you to that page when that application was first launched.

Now, we will show it using Java. Here is a simple program on hit-counter and from this we will relate, what is happening behind the facebook. We will also see the modification in this code.




<% @page contentType = "text/html" pageEncoding = "UTF-8" %>
<!DOCTYPE html>
<head>
    <meta http - equiv = "Content-Type"
            content = "text/html; charset=UTF-8">
    <title>Session Counter</title>
</head>
   
< % int count
    = 0;
HttpSession sess = request.getSession();
System.out.println("session object id is: " + sess.getId());
System.out.println("session object is new: " + sess.isNew());
String name = request.getParameter("btn");
if (name != null) {
    if (sess.getAttribute("countval") != null) {
          
        if (name.equals("Next")) {
            count = 
            Integer.parseInt((String)sess.getAttribute("countval")) + 1;
        }
        else {
            count = 
            Integer.parseInt((String)sess.getAttribute("countval")) - 1;
        }
    }
}
  
sess.setAttribute("countval", String.valueOf(count));
  
// String url="hitcount.jsp;jsessionid=" + sess.getId();
% > 
<h3> Count is : <%= count %></h3>
   
<form action
    = <%= "hitcount.jsp" %> // name of program is "hitcount"
    <input type = "submit" value = "Next" name = "btn">
    <input type = "submit" value = "Previous" name = "btn">
</form>


Note: As this is a program of a servlet, therefore we need an application server to run it. Here, we will using “Apache Tomcat” and connected it with Netbeans.

Count is: 0  // The output in the chrome browser.

// In apache tomcat log window.
session object id is: 68EE34B33FCE6ACB8C1183A2FA8CCBBF

session object is new: true

The output when we launched the application the first time.

Now, suppose we increment or decrement the value of a counter, session object id will remain the same but is it new user? No, therefore it will give me false. Now let’s see the output when incrementing the value of a counter.

Count is: 1

// Same alpha numeric string as above, because the
// server has identified me with the  help of cookies
session object id is: 68EE34B33FCE6ACB8C1183A2FA8CCBBF  
                                                         
session object is new: false

Note: Same thing happen with facebook. It will check, whether you are a new user. If “If session object is new” gives true, then it will redirect you to the login page. Otherwise, your facebook page will open and you did not need to log in again.

Now what if we delete the cookies of hitcounter (localhost: name of my server)

Note: The videos contains step by step explanation on how to delete cookies.
Now when we delete the cookies of localhost and run the hitcounter program again. The server will forget who is the user and will redirect to that page when that application was first launched.
Now see the output when we delete the cookies of localhost. After deleting cookies, whatever key we press (i.e increment or decrement) it will take to me “Count is:0” because it was the starting page when the application was first launched.

  
Count is: 0
 
session object id is: 7552ECB909E08330A345AF18915EE743

// Since we have delete cookies, the server will forget
// the previous user and will treat it as a new user.
// Therefore session object id is different from above
// and "session is new" giving true.
session object is new: true 

Note: When we delete the cookies of facebook, we redirected to that page when it was launched for the first time and able to see the username and password.

In the second video, modification the code according to our actual aim. Even if we delete the cookies, we can still be logged in without logging again.




<% @page contentType = "text/html" pageEncoding = "UTF-8" %>
<!DOCTYPE html>
<head>
    <meta http - equiv = "Content-Type" 
            content = "text/html; charset=UTF-8">
    <title> Session Counter</title>
</head>
   
<% int count
    = 0;
HttpSession sess = request.getSession();
System.out.println("session object id is: " + sess.getId());
System.out.println("session object is new: " + sess.isNew());
String name = request.getParameter("btn");
  
if (name != null) {
    if (sess.getAttribute("countval") != null) {
        if (name.equals("Next")) {
            count = 
            Integer.parseInt((String)sess.getAttribute("countval")) + 1;
        }
        else {
            count = 
            Integer.parseInt((String)sess.getAttribute("countval")) - 1;
        }
    }
}
  
sess.setAttribute("countval", String.valueOf(count));
  
// By using "URL Encoding" method
String url = "hitcount.jsp;jsessionid=" + sess.getId();
%> 
<h3> Count is : <%= count %></h3>
   
<form action = "<%=url%>">
    <input type = "submit" value = "Next" name = "btn">
    <input type = "submit" value = "Previous" name = "btn">
</form>


Output:

Count is: 0

session object id is: 74E551B3F2E36B74C09885DE6F2EFC67
session object is new: true

Again, if we increment the value, see the output

Count is: 1

session object id is: 74E551B3F2E36B74C09885DE6F2EFC67
session object is new: false

The real magic comes now. Now, we will delete the cookies of the localhost and increment the value of count. See the output

Count is: 2

session object id is: 74E551B3F2E36B74C09885DE6F2EFC67
session object is new: false

Now, if we delete the cookie, the server will identify me as “session object is new” giving me false. This is because now your session id is now getting passed through URL. That’s why it is named as “URL Encoding”. Now just relate it with Facebook. Even if you delete cookies, you will not need to log in again and your Facebook page will open.



Last Updated : 18 Apr, 2023
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads