After signing in to my mail.com account, I was at a webpage that included the following long string of seemingly random characters:
(No, I didn’t reproduce it exactly, for fear that it would allow access beyond my password – the x, y, and z characters do not appear in the original.)
The variable ‘a’ seems to be a very long hexadecimal number.
My question is: why is such a huge number necessary? I have a (very) rudimentary grasp of cryptography, but this just seems like a bit much.
Most likely a session ID of some sort. Depending on the server side code, it could be anything from a completely random string, to a hash of your password or user ID, to transmissions from Pluto.
In any case, it’s used so the server can maintain its state between multiple requests from the same client (you.) Every time you make a request, that long string is sent in the URL, so the server can look up the appropriate Stuff in the database. When the page is returned to you, the server makes sure to stick the same session ID in all the links so it can look up the right data again upon your next request.
A bit more background regarding the question marks you find affixed to URLs. HTTP (the protocol used to send and receive web pages) has two common methods, GET and POST. GET is what you use for most of your daily surfing, to pull down text and images. POST is used when you submit a web form.
As friedo said, dynamic web sites (i.e. those that pull content from a database or text files and assemble it on the fly) often need to keep track of visitors somehow, so they know who you are and what information you want. Those little bits of information are called variables. However, variables on web sites are usually only valid on one page (this is an issue known to programmers as scope), so in order to keep the site from resetting itself every time you click a link, variables need to be passed from one page to the next.
Here’s where GET and POST come in. When you are navigating around a site, you normally use hyperlinks (the blue underlined dealies), and links use the GET method. In the GET method, any variables to be passed to the next page are appended to the end of the URL. This list of variables is known as the query string and usually looks something like this:
http://mysite.com**?var1=abc&var2=def**
The part in bold is the query string. It begins with a question mark and individual variables in the string are separated with an ampersand (&).
A programmer could make an entire site like this, with a set of variables being endlessly passed and caught from page to page, but don’t forget that developers (myself included) are a lazy lot. *Sessions * are a simple way to store the variables once and have continuous access to them throughout a site. Instead of reading the variables in from the query string and passing them back out, a temporary storage area is created on the server and the variables are stored in it. The huge string of numbers you see is called a session ID. It’s generated by random and is meant to be unique, so no two users have the same ID and nobody’s variables get crossed. This is especially important if something like your usernamd and password are stored in the session.