Also called CSRF / XSRF (Cross Site Request Forgery)
When a malicious site can cause a visitor’s browser to make a request to your server that causes a change on server.
The server thinks that because the request comes with the user’s cookies, the user wanted to submit that form.
On every request to a site A, from browser, the browser includes automatically the cookies that came from Site A.
Cookies contain sessionId.
Other sites cannot read cookie’s content(that came from 1 site (server))
Next time when you request another page, your browser will automatically send cookies containing your sessionID.
Cookies are sent using HTTP Headers.
HTTP Headers.
Cookies are used as transportation medium for session IDs.
browsers will automatically send any cookies associated with the websites.
Cookies can be or could have been modified by client therefore server cannot trust them and always server will validate it.
(in other words - cookies could have been modified as they come from client - so server cant trust info in them - unless it validates it then its fine - so only sesssionID is stored in cookies(no other info). Storing sessionID works because server also validates it with its own copy every time (from some table of session IDs in some DB)).