This article aims to quickly understand the concept of cookie and session, rather than digging into the technical details, nor is it a whole useless code example.
Many technical points are used in the process, and more are an advanced version of the black box, know how to use it, know its basic principles, and do not need to dig into the implementation details.
Conversation
A session refers to the process of a terminal user communicating with an interactive system. For example, the process from entering an account password to entering the operating system to exiting the operating system is a session process.
To put it simply, we open the csdn web page, and a session with the csdn server is opened.
We browse the relevant pages of csdn, and the conversation is in progress.
When we close the csdn webpage, but the browser has not been closed, the session is still not over.
And when we reopened the csdn webpage, the session continued.
When we close the browser, at this time, the session with csdn is officially over.
From this point of view, the meaning of conversation is just like its name, literally.
Imagine you go to the service desk to talk to the waiter.
Assuming that the waiter is very formal, one question and one answer are not sentimental.
So when you start talking and leave the service desk, you are talking with the waiter at the service desk.
In this conversation, you will ask the waiter, which is actually the front end initiates a request to the back end; the waiter will also respond to your request and answer your questions.
In the session, the commonly used session tracking technologies are Cookie and Session. Cookie determines the user's identity by recording information on the client side, and Session determines the user's identity by recording information on the server side.
cookie
Since the http session is stateless, the so-called stateless means that each request is independent; the data generated by the dialogue between the client and the server can be understood as state, and these states will not be saved.
Every time a client user makes a request with the server, it is brand new to the server.
Therefore, the server does not know who the requester is, who has logged in and paid for it just now. This is messy, because it is necessary to establish a connection between multiple requests for one session.
At this time cookie came into being.
Cookies have two main functions:
- One can store data
- Second, it can be used as a unique identifier for users
For example :
Cookies are like the relationship between the bank and us. The bank does not recognize you, because people will have plastic surgery and put on disguise, and they cannot judge who you are based on your appearance.
So the bank sends you a USB-Shield (cookie), which is both your identity and stores your account information. After you perform the amount operation, the USB-Shield will store your amount information.
When you interact with the bank, you must pass the USB-Shield to the bank every time, and the bank will do business, update your USB-Shield data, and then return the USB-Shield to you.
When one day, your relationship with the bank is shattered, you will no longer need this USB-shield, and the conversation will be terminated.
Or one day, if you lose the USB-shield, I’m sorry, the bank only recognizes the USB-shield but not people, and you’re done.
The above is a general understanding of cookies.
The principle of the cookie is: the browser accesses the server, with an empty cookie, and then the server generates the content, the browser receives the corresponding and saves it locally; when the browser visits again, the browser will automatically bring the cookie, so The server can determine the "who" this is based on the content of the cookie.
With cookies, your different requests will also be associated, and this request can use the data from the previous request.
Related characteristics of cookies:
- cookie
- Store information in the browser in the form of key-value pairs
- No more than 4KB
- Can not cross domains, the current and parent domain names can take values
- Cookie can set the validity period
- Cookie can set path, which is a route, / is accessible under the current domain name
session
Session also has the meaning of conversation, but session and the above concept of conversation are by no means the same thing, so don't get it wrong.
Session and cookie belong to the same level.
The emergence of session is because cookies have certain problems. In response to these problems, there is session.
Cookie problem:
- The cookie is in the hands of the user (browser), which is extremely insecure
- The amount of data that cookies can store is too small. As mentioned above, it is only 4kb. Why is this enough?
In response to these two problems, the session appeared.
The session is stored on the server side and is used to store the useful data generated in the session.
Give an image example:
session is when you go to the supermarket, the supermarket prepares the lockers for users.
This locker can store the goods you buy and can be reused.
Every time you go shopping, you put it in the locker when you buy it.
However, the problem still exists, that is, the supermarket locker cannot identify who you are. How can it ensure that your locker is only used by you?
Just like a supermarket, when you enter the supermarket for the first time, you have nothing, and then you interact with the locker, and the locker will give you a password paper.
As long as you hold this piece of paper, it means you have the right to use this cabinet.
This piece of paper is a cookie.
Therefore, we can summarize that session is the locker prepared by the server for the user, and the cookie is the password paper used by the server to identify the relationship between the user and the locker. Of course, the cookie records the locker number used by the user. The encoding form.
(It can also be seen here, cookies are also used in the session)
The difference and connection between session and cookie
In terms of contact, in fact, we have also said above that both can be used to store private things, and they also have an expiration date. The difference is that the session is placed on the server, and whether it expires depends on the setting of the service period. , The cookie exists on the client side, and whether it expires or not can be set when the cookie is generated.
They are all session tracking technologies.
the difference:
- The cookie data is stored on the client's browser, and the session data is stored on the server
- Cookies are not very secure. Others can analyze cookies stored locally and perform cookie spoofing. If security is the main consideration, session should be used.
- The session will be saved on the server for a certain period of time. When access increases, it will take up the performance of your server. If you mainly consider reducing server performance, you should use COOKIE
- The size of a single cookie is 4KB, and the session is much more than that, so the amount of data stored varies greatly
Reference blog
Ava Web (3) Session mechanism, Cookie and Session detailed explanation https://www.cnblogs.com/whgk/p/6422391.html
Cookie and session https://www.cnblogs.com/changxin7/p/11608985.html ( Image Source)