|
|
|
|
|
|
by smagin
476 days ago
|
|
|
> How does server know the cookie is valid if it doesn't store it depending on why you'are asking the question,
* because it decrypts correctly
* because it contains some user identifier People don't usually store sessions in cookies because cookies can't be very big, and session do become big. So what people do instead they store cookies in databases, and put session identifiers into cookies. |
|
|
CSRF token can be entirely separate from sessions.