Session management
Web vulnerability XSS session management
I. Overview
- Why do you need session management?
HTTP is stateless, a request ends, and the connection is disconnected; when the
server receives the request again, it cannot identify which user is connected this time; in
order to identify the user who is visiting, a way to record the user is needed. - The way of session management①.session
; ②cookie; ③token
Two, session management method
- Authentication process
①The server session is the object that the server will create when the user accesses the application for the first time;
②The server assigns a unique session ID to each session;
③After the server creates the session, it will return the session ID through the cookie The browser of the user;
④When the user sends a request to the server for the second time, the session ID will be sent back to the server through the cookie;
⑤When the user requests again, the server can find the session information corresponding to the user according to the session ID . - Problem
①This method will store the session information in the web server. When the user has a large number of limits at the same time, the session information will take up more memory;
②When the application is deployed in a cluster, it will encounter multiple web servers. How to do session sharing. When multiple applications want to share sessions, they will also encounter cross-domain problems. - Experimental code logic
Three, cookie management method
- The basic
cookie is set by the http server; the
cookie information is stored in the browser - The difference between cookie and session (share a detailed link: link )
①Different access methods; ②Different privacy policies; ③Different cross-domain support; ④Different server pressures; ⑤Different supported browsers; ⑥Validity of saving different.
The biggest difference is that cookies store data on the client side, while sessions store data on the server side. - The authentication process
①The user initiates a login request, and the server sends identity information such as the user password;
②The server verifies whether the user meets the login conditions. If it is satisfied, it creates a login credential based on the user information;
③The server digitally signs the created login credential, and then encrypts it with a symmetric encryption algorithm;
④Writes the signed and encrypted string into the cookie, the name of the cookie Must be fixed;
⑤The user initiates subsequent requests after logging in, and the server section obtains the corresponding cookie value according to the cookie name of the saved login credentials. - Problem
①The server is stateless;
②Cookies are limited by storage size, so there is no way to store too much data ; ③Each
time a cookie is transmitted, the number of requests increases, which affects access performance;
④There is also a cross-domain problem (different domain names cannot read each other Fetch cookie)
Four, token management method
The process and implementation are basically the same as cookie-based;
cookie-based is written into the ticket in the cookie. This scenario is called token; the
token must be actively brought with the token in the form of URL parameters or http headen in the request.