HTTP is a stateless protocol


Where is state needed?
shopping cart
log-in
preferences
tracking


How to get state?
IP address, browser version -> browser fingerprinting
(Hidden) form fields - gone when closing browser
URL parameters - ugly, visible
(HTTP authentication, RFC2617)
(Macromedia Flash local stored object, obsolete)
(ETag - normally used for cache control)
HTML Web storage 
-> Cookies

View Cookies and other storage
https://developer.mozilla.org/en/Tools/Storage_Inspector


Cookies
RFC 2965, HTTP State Management Mechanism
Information sent from a server to a browser, which the browser 
stores and sends back unchanged each time it accesses that server.

Cookies are set by server (ie. CGI script) or client (via JavaScript) 
and communicated in HTTP request (Cookie: name=value) and
response (Set-Cookie: name=value) headers.

Cookies can have attributes auch as Expires, Domain, Secure, HttpOnly, etc.
permanent vs. session cookies

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies




Python3 Cookie module
https://docs.python.org/3/library/http.cookies.html


Security mindset
don't trust user input
don't expect users will use stuff as intended