table of Contents
Cookie and Session
Session tracking is a commonly used technique in Web programs to track the user's entire session. The commonly used session tracking technologies are Cookie and Session. Cookie determines the user's identity by recording information on the client side, and Session determines the user's identity by recording information on the server side.
Cookie
It is the data sent by the server to the client to verify the information of a certain session, which serves as the unique identifier of the user session.
Principle:
Since http is a stateless protocol, once the data exchange between the client and the server is completed, the connection will be disconnected, and the request will be reconnected. This means that the server cannot know the user's identity from the network connection alone. How to do it? Then, every time a new user requests it, give it an ID card (unique). Next time you visit, you must bring your ID card, so that the server will know who is accessing it, and make a difference for different users. This is the principle of cookies.
A cookie is a small text file that is stored on the user's machine by the browser. Cookies are plain text and have no executable code. Store some information required by the server, and each time the site is requested, the corresponding cookie will be sent. These cookies can be used to identify user identity information and other functions.
Cookie classification:
session cookie: session cookie is a temporary cookie, the session cookie will be deleted when the user exits the browser
Persistent cookies: Persistent cookies will be stored in the hard disk for a longer period of time. If you close the browser and restart the computer, it will still exist. Usually a persistent cookie will maintain the configuration file or login information of a certain user who periodically visits the server.
Session
It is another mechanism to record the state of the client. The difference is that the Cookie is stored in the client browser, and the Session is stored on the server. When the client browser accesses the server, the server records the client information on the server in some form. This is Session. When the client browser visits again, it only needs to find the state of the client from the Session.
If the Cookie mechanism is to confirm the identity of the customer by checking the "passport" on the customer, then the Session mechanism is to confirm the identity of the customer by checking the "customer list" on the server. Session is equivalent to a client file created by the program on the server. When a client visits, it only needs to query the client file table.
Principle:
First, when the browser requests the server to access the web site, when the program needs to create a session for the client's request, the server first checks whether the client request already contains a session ID called SESSIONID, if it already contains a sessionid It means that a session has been created for this client before, and the server retrieves the session for use according to the sessionid. If the client request does not contain the session id, the server creates a session for the client and generates a session associated with the session Session id, the value of sessionid should be a string that will not be repeated, and is not easy to be found and imitated. This sessionid will be returned to the client in this response to save, and the way to save this sessionid can be a cookie. In this way, in the process of interaction, the browser can automatically send this identifier back to the server according to the rules, and the server can find the corresponding session according to the sessionid
Although the Session is stored on the server and is transparent to the client, its normal operation still requires the support of the client browser. This is because Session needs to use Cookie as an identification mark. The HTTP protocol is stateless, and the Session cannot determine whether it is the same client based on the HTTP connection. Therefore, the server sends a Cookie named JSESSIONID to the client browser, whose value is the id of the Session (that is, HttpSession.getId() The return value). Session recognizes whether it is the same user based on the cookie.
Token
Token is also called a token.
The authentication method of token by uid+time+sign[+fixed parameter] is similar to a temporary certificate signature, and it is a stateless authentication method on the server side, which is very suitable for REST API scenarios. Stateless means that the server does not save data related to identity authentication.
Token is generally stored in localStorage, cookie, or sessionStorage on the client
The authentication process of the
token is very similar to that of the cookie. When the
user logs in, the server returns the token to the client after success.
The client receives the data and saves it on the client. The
client accesses the server again and puts the token in the headers. The
server uses a filter to verify it. If the verification is successful, the requested data will be returned, and if the verification fails, an error code will be returned.
to sum up:
The session is stored on the server, which can be understood as a state list with a unique identification symbol sessionId, which is usually stored in a cookie. The server parses out the sessionId after receiving the cookie, and then searches the session list to find the corresponding session. Relying on cookie A
cookie is similar to a token, equipped with a sessionId, stored on the client, and the browser usually adds it automatically.
A token is also similar to a token. It is stateless. User information is encrypted into the token. After receiving the token, the server decrypts it to know which user it is. Need to be manually added by the developer.