The difference between Cookie, Session and Token

Others 2021-01-28 00:22:20 views: null

1. Introduction

1. Cookie Mechanism

The cookie mechanism is a scheme that keeps the state on the client. The use of cookies is automatically sent to the server by the browser in the background according to certain principles. The browser checks all the stored cookies, and if the declared scope of a cookie is greater than or equal to the location of the resource to be requested, the cookie is attached to the HTTP request header of the requested resource and sent to the server.

The content of the cookie mainly includes: name, value, expiration time, path and domain. The path and domain together constitute the scope of the cookie.

If the expiration time is not set, it means that the lifetime of the cookie is during the browser session. When the browser window is closed, the cookie disappears. This kind of cookie whose lifetime is the browser session is called a session cookie. Session cookies are generally not stored on the hard disk but in the memory.

If the expiration time is set, the browser will save the cookie on the hard disk , and then open the browser again after closing, these cookies will remain valid until the set expiration time has passed. Cookies stored on the hard disk can be shared between different browser processes, such as two IE windows. For cookies stored in memory, different browsers have different processing methods.

2. Session mechanism

The session mechanism is a server-side mechanism.

When the client requests the server, the server checks whether the request contains a session identifier (called session id).

– – If not, then the server will generate a random session and the session id that matches it, and return the session id to the client.
– If so, the server will find the corresponding session in the storage according to the session id.

When the browser prohibits cookies, there are two ways to continue sending the session id to the server:

The first type: URL rewriting (commonly used), is to append the session id directly to the URL path.
The second type: form hidden fields, write sid in the hidden form.

3. Token mechanism

Token is the user's verification method. The simplest token is composed of: uid (user's unique identity), time (time stamp of the current time), sign (signature, which is compressed into a certain amount by the hash algorithm by the first few bits of the token + salt) The long hexadecimal string can prevent malicious third parties from splicing token request server).

Using the Token-based authentication method, there is no need to store user login records on the server side. The approximate process is this:

    1. The client uses the username and password to request login
    1. The server receives the request to verify the user name and password
    1. After the verification is successful, the server will issue a Token, and then send the Token to the client
    1. After receiving the Token, the client can store it, such as in Cookie or Local Storage
    1. The client needs to bring the Token issued by the server every time it requests resources from the server
    1. The server receives the request and then verifies the token contained in the client request. If the verification is successful, it returns the requested data to the client

Two, the difference between cookie and session

  • 1. The cookie data is stored on the client, and the session data is stored on the server.

  • 2. The cookie is not very secure, others can analyze the cookies stored locally and cheat by cookies

The session should be used for safety.

  • 3. The session will be saved on the server for a certain period of time. When access increases, it will take up the performance of your server

Considering to reduce server performance, cookies should be used

Three, the difference between session and token

As an identity authentication token, the security is better than the session, because each request has a signature and can prevent monitoring and replay attacks

Session is an HTTP storage mechanism whose purpose is to provide a persistent mechanism for stateless HTTP. Session authentication simply stores the User information in the Session, because SID is unpredictable and is considered safe for the time being. This is a means of authentication. But if you have the SID of a user, it is equivalent to owning all the rights of the user. The SID should not be shared with other websites or third parties.

Token, if it refers to OAuth Token or similar mechanism, provides authentication and authorization, authentication is for users, and authorization is for App. Its purpose is to give a certain App the right to access a certain user's information. The Token here is unique. It cannot be transferred to other apps, nor can it be transferred to other users.

Guess you like

Origin blog.csdn.net/Lin_Hv/article/details/106635125
Recommended
Ranking
Opencv header files and Tips
Should you be afraid of artificial intelligence?
Getting Started with RabbitMQ
Banana Pi BPI-PicoW-S3 development board adopts Espressif ESP32-S3 design, compatible with Raspberry Pi Pico. Support ardduino and microPython development environment
Insert image in GitHub README.md
leetcode-database-175. Combine two tables-use left join to solve.
Problems caused by different Content-types in HTTP.
クラウド ネイティブ アプリケーションのリスクの概要
netty essay
A, Linux the hard disk partition: root partition (/) swap (/ the swap) and / boot partition
Daily
More
2024-04-18(0)
2024-04-17(31)
2024-04-16(23)
2024-04-15(5)
2024-04-14(0)
2024-04-13(18)
2024-04-12(5)
2024-04-11(0)
2024-04-10(1)
2024-04-09(0)

Code World

© 2018 codetd.com