Understand the difference and use of cookies and sessions

Others 2022-04-22 08:12:28 views: 0

foreword

  • HTTP is a stateless protocol. In order to distinguish who initiated the link, you need to solve this problem yourself. Otherwise, in some cases, you have to log in every time you open a page on the same website. Session and Cookie are two mechanisms proposed to solve this problem.

Application scenarios

  • Log in to the website, enter the username and password to log in today, and open it directly the next day in many cases. One mechanism used at this time is the cookie.
  • One scenario of session is a shopping cart. After adding a product, the client can know which products have been added, and how does the server judge it, so it is necessary to store some information and use the session.

1.Cookie

  • In layman's terms, it is some website-related information stored locally after visiting certain websites, and some steps are reduced on the next visit. To put it more precisely: Cookies are small pieces of text stored by the server on the local machine and sent to the same server with each request, a scheme that maintains state on the client side.
  • The main contents of the cookie include: name, value, expiration time, path and domain. You can see it by using Fiddler to capture the package. For example, when we open a website of Baidu, we can see that the Headers include cookies, as follows:


    BIDUPSID: 9D2194F1CB8D1E56272947F6B0E5D47E
    PSTM: 1472480791
    BAIDUID: 3C64D3C3F1753134D13C33AFD2B38367: Optimus Prime FG
    ispeedlsm: 2 for
    MCITY: 131:
    pgvpvi: 3797581824
    pgvsi: s9468756992
    BDUSS: JhNXVoQmhPYTVENEdIUnQ5S05xcHZMMVY5QzFRNVh5SzZoV0xMVDR6RzV-bEJZSVFBQUFBJCQAAAAAAAAAAAEAAACteXsbYnRfY2hpbGQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALlxKVi5cSlYZj
    BDHOME: 1
    HPSPSSID: 1423210801700121454214082153021377215252119321340
    BDUPN: 123253
    Sug in the: 3 in a
    sugstore: 0
    ORIGIN 'is: 0
    bdime: 0

  • key, value form. The expiration time can be set. If it is not set, the browser will disappear when it is turned off, and it will be stored in the memory. Otherwise, it will be stored on the hard disk according to the set time, and it will be automatically cleared after expiration. He will still exist after the device, the former is called Session cookie or transient cookie, and the latter is called Persistent cookie or permanent cookie. The path and domain are the corresponding domain names, and the cookie of a website cannot be used by b.

2.Session

  • There is a HashTable-like structure used by the server to store user data.
  • When the browser sends a request for the first time, the server automatically generates a HashTable and a Session ID to uniquely identify the HashTable, and sends it to the browser through a response. When the browser sends the request for the second time, it will put the session ID in the previous server response in the request and send it to the server. The server extracts the session ID from the request and compares it with all saved session IDs to find the user. The corresponding HashTable.
    • Generally, this value will have a time limit. After the timeout, this value will be destroyed. The default is 20 minutes.
  • When the user jumps between the Web pages of the application, the variables stored in the Session object are not lost but persist throughout the user's session.
  • The implementation of Session has a certain relationship with Cookie. A session id is generated when a connection is established, and several pages are opened. Cookies are used here. The session id is stored in the cookie, and the session id can be identified when you visit it each time.

the difference

  • In terms of the amount of data stored: session can store any java object, cookie can only store objects of type String
  • One on the client and one on the server. Because cookies can be edited and forged on the client side, they are not very secure.
  • Too many sessions will consume server resources. Large websites will have dedicated session servers, and there is no problem with cookies on the client side.
  • The support scope of domains is different. For example, cookies of a.com can be used under a.com, while sessions of www.a.com cannot be used under api.a.com. The solution to this problem is JSONP or Cross-origin resource sharing.

session sharing between multiple servers

  1. The session replication or session sharing implemented by the server, such as webSphere or JBOSS, is configured to achieve session replication or session sharing when building a cluster. Fatal disadvantage: not easy to expand and transplant.
  2. Use mature technology to do session replication, such as gemfire used by 12306, such as common memory database redis or memorycache, although it is more common but depends on third parties.
  3. The session is maintained on the client side and cookie is used, but the client has the risk that the data is not safe, and the amount of data that can be stored is small, so the information in the session must be encrypted when the session is maintained on the client side.
  4. The combination of the second scheme and the third scheme can use gemfire to achieve session replication and sharing, and can also maintain session in redis to achieve session sharing, and at the same time, session can be maintained in the client's cookie, but the premise is that the data is encrypted.

These three methods can be switched quickly without affecting the normal execution of the application. In practice, gemfire or redis are preferred as the carrier for session sharing. Once the session is unstable and there is a problem, the cookie can be switched urgently to maintain the session as a backup, without affecting the application service.

What should I do if cookies are disabled in single sign-on? (One-point login, other systems of the sub-site do not need to log in again)

  • The principle of single sign-on is that the backend generates a session ID and sets it to a cookie. All subsequent requests to the browser will bring the cookie, and then the server obtains the session ID from the cookie and queries the user information.
  • Therefore, the key to keeping the login is not the cookie, but the session ID saved and transmitted through the cookie, which is essentially the data that can obtain user information.
  • In addition to cookies, HTTP request headers are often used to transmit. However, this request header is not automatically carried by the browser like a cookie, and needs to be processed manually.

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324896911&siteId=291194637
Recommended
The sixth meeting of openKylin Community Ecology Committee was successfully held
Alibaba Cloud officially releases Tongyi Qianwen 2.5
Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter
Stack Overflow used my code to train large AI models and banned my account.
Pop!_OS’s COSMIC desktop completes App Store listing
Report: Django is still the first choice for 74% of developers
"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report
15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?
Ranking
Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures
Der M-Chip-Mac implementiert mehrere Android-Emulatoren
CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.
Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery
python3 pip ipython installation
A lot of python crawler source code sharing -- talk about the little thing about python crawler
Agile Sprint in Alpha Stage (7)
Access URL in Unity
FunctoinDemo form
MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq
Daily
More
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)

Code World

© 2018 codetd.com