session
The Chinese translation of session is "session". When a user opens a web application, a session is generated with the web server. The server uses the session to temporarily save the user's information on the server, and the session will be destroyed after the user leaves the website. This method of storing user information is more secure than cookies, but the session has a drawback: if the web server performs load balancing, the session will be lost when the next operation request goes to another server.
cookie
A cookie is data saved on the local terminal. The cookie is generated by the server and sent to the browser. The browser saves the cookie in the form of kv to a text file in a certain directory. The next time the same website is requested, the cookie will be sent to the server. Since cookies are stored on the client, browsers add some restrictions to ensure that cookies cannot be used maliciously and do not take up too much disk space, so the number of cookies per domain is limited.
The cookie is composed of: name (key), value (value), valid domain (domain), path (the path of the domain, generally set to global: "\"), expiration time, security flag (after specifying, the cookie can only be used when Only sent to the server when an SSL connection is made (https)). Here is a simple js example of using cookies:
A cookie is generated when the user logs in:
document.cookie = "id="+result.data['id']+"; path=/";
document.cookie = "name="+result.data['name']+"; path=/";
document.cookie = "avatar="+result.data['avatar']+"; path=/";
When using cookies, do the following analysis:
var cookie = document.cookie;var cookieArr = cookie.split(";");var user_info = {};for(var i = 0; i < cookieArr.length; i++) {
user_info[cookieArr[i].split("=")[0]] = cookieArr[i].split("=")[1];
}
$('#user_name').text(user_info[' name']);
$('#user_avatar').attr("src", user_info[' avatar']);
$('#user_id').val(user_info[' id']);
token
Token means "token", which is the verification method of user identity. The simplest token consists of: uid (user's unique identity), time (timestamp of the current time), sign (signature, which consists of the first few digits of the token). + The salt is compressed into a certain long hexadecimal string with a hash algorithm, which can prevent malicious third parties from splicing token requests to the server). You can also put invariable parameters into the token to avoid multiple database checks
Difference between cookie and session
1. The cookie data is stored on the client's browser, and the session data is stored on the server.
2. The cookie is not very safe. Others can analyze the cookie stored locally and perform cookie deception
. Considering the security, the session should be used.
3. The session will be saved on the server for a certain period of time. When the number of visits increases, it will take up the performance of your server.
In order to reduce the performance of the server, you should use cookies.
4. The data saved by a single cookie cannot exceed 4K. Many browsers limit a site to save a maximum of 20 cookies.
5. So personal suggestion:
store important information such as login information as SESSION
other information. If you need to keep it, you can put it in COOKIE
The difference between token and session
Session and oauth token are not contradictory. As an authentication token, the security is better than session, because each request has a signature to prevent monitoring and replay attacks, and session must rely on the link layer to ensure communication security. As mentioned above, if you need to implement stateful sessions, you can still add sessions to save some state on the server side
App usually uses restful api to deal with server. Rest is stateless, that is, the app does not need to use a cookie to save the session like the browser, so it is enough to use the session token to identify itself, and the session/state is handled by the logic of the api server. If your backend is not a stateless rest api, then you may need to save the session in the app. You can embed webkit in the app and use a hidden browser to manage the cookie session.
Session is an HTTP storage mechanism designed to provide a persistence mechanism for stateless HTTP. The so-called Session authentication simply stores the User information in the Session. Because of the unpredictability of the SID, it is considered safe for the time being. This is a means of authentication. Token, if it refers to OAuth Token or a similar mechanism, provides authentication and authorization, authentication is for users, and authorization is for App. Its purpose is to give an App the right to access a user's information. The Token here is unique. It cannot be transferred to other apps, nor to other users. Turn around and say Session. Session only provides a simple authentication, that is, having this SID means that it has all the rights of this User. It needs to be strictly confidential. This data should only be stored on the site and should not be shared with other websites or third-party apps. So in short, if your user data may need to be shared with a third party, or allow a third party to call the API interface, use Token . If it's always just your own website, your own app, it doesn't matter what you use.
A token is a token. For example, when you authorize (log in) a program, it is a basis to determine whether you have authorized the software; a cookie is a txt file written on the client side, which includes your login information and the like, so that you can download The next time you log in to a website, the cookie will be automatically called to automatically log in the user name; session is similar to cookie, except that session is a file written on the server side, and a cookie file needs to be written on the client side, but the file is your browser number. The state of the .Session is stored on the server side, and the client only has the session id; while the state of the Token is stored on the client side.