Is there any difference between using a cookie and using a normal header in the case of HTTP communication?

cr001

4/17/23, 5:55 AM

I have a system consisting of a custom software and an HTTP server. The software will send some requests with some headers and the HTTP server will send response back.

Now I have some custom authentication related headers that the server will send to the software, the software will keep those headers and send them back in each additional requests to bypass the authentication process.

Based on my understanding, this should be done using cookies. However in the custom software development adding normal headers is easy while adding cookies are harder to implement, and using normal headers works functionally as well based on testing.

What I want to know is, is there any security reason and/or other reasons that a cookie should be used instead of a normal HTTP custom header?

197

0 + 0

http

http-headers

shearn89

4/17/23, 9:56 AM

Cookies are also often set by sending a header from the server - in node for example: `res.setHeader('Set-Cookie', 'sessionCookie=value; HttpOnly');`

Score:2

Server

Bob

4/17/23, 7:43 AM

That is more a software development question and likely to attract better answers on the StackOverflow, Software Engineering or possibly the security SE sites.

But the most simple answer is that a header is set by the client and generally static, like for example including a particular API token with every request.

Sessions and cookies get set by the server. The later gives the server more control and arguably better security. The server can expire them while not invalidating the actual credentials with which you authenticate, making you re-authenticate (for example always after X hours or some idle time) or change their value to prevent session high jacking or replay attacks.

0 + 0

shearn89

4/17/23, 9:56 AM

To add - cookies can also be encrypted by the server so that the client can't easily modify them!

Offir

9/6/23, 1:26 PM

Cookie will be sent in each request while Header not always.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is there any difference between using a cookie and using a normal header in the case of HTTP communication?

TH: มีความแตกต่างระหว่างการใช้คุกกี้และการใช้ส่วนหัวปกติในกรณีของการสื่อสาร HTTP หรือไม่

RO: Există vreo diferență între utilizarea unui cookie și utilizarea unui antet normal în cazul comunicării HTTP?

RU: Есть ли разница между использованием файла cookie и использованием обычного заголовка в случае HTTP-связи?

VI: Có sự khác biệt nào giữa việc sử dụng cookie và sử dụng tiêu đề bình thường trong trường hợp giao tiếp HTTP không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.