The working principle of the session is that after the client login is completed, the server will create the corresponding session.
When the program needs to create a session for a client’s request, the server first checks whether the client’s request contains a session identifier (called session id), if it is included, it means that a session has been created for this client before, and the server will retrieve this session for use according to the session id (if not retrieved, a new one will be created), if the client request does not contain a session id, then Create a session for the client and generate a session id associated with the session. The value of the session id should be a string that will neither repeat nor be easy to find and imitate. This session id will be in this The response is returned to the client to save.
A cookie can be used to save the session id, so that the browser can automatically display this identification to the server in accordance with the rules during the interaction. Generally, the name of this cookie is similar to SEEESIONID. But cookies can be banned artificially, and there must be other mechanisms so that the session id can still be passed back to the server when the cookie is banned.
A technique that is often used is called URL rewriting, which is to append the session id directly to the URL path. There is another technique called form hiding fields. That is, the server will automatically modify the form and add a hidden field so that the session id can be passed back to the server when the form is submitted.