Difference between cookie and session

Others 2022-04-27 14:59:47 views: 0

Session tracking is a technique commonly used in web programs to track the user's entire session. Commonly used session tracking technologies are cookies and sessions. Cookie determines user identity by recording information on the client side, and Session determines user identity by recording information on the server side

Knowledge point

  • The cookie data is stored on the client side, and the session data is stored on the server side

  • Objects are stored in session, strings are stored in cookies

  • Cookies are not cross-domain

  • Sessions cannot distinguish paths. During the same user's visit to a website, all sessions can be accessed anywhere. If the path parameter is set in the cookie, then the cookies under different paths in the same website cannot access each other.

  • To achieve Session synchronization under two domain names, the same SessionID must be written as a Cookie to the two domain names;

Form repeated submission validation

  1. JavaScript prevents repeated form submissions
  2. Make the submit button unavailable
  3. Use Session to prevent repeated form submission: generate a unique token when the user requests, and store the token in the Session. When the user submits the form, the token is compared with the token in the server-side Session. If it is consistent, the submission is successful and the token is cleared; otherwise The submission fails; malicious users can take advantage of this property to repeatedly visit the page, so that the number of identification numbers saved in the session keeps increasing, which eventually consumes server memory seriously. This problem can be solved by recording the time of the user posting in the Session, and then limiting the number of consecutive postings by a user through a time interval.

Distributed session management implementation scheme

  • Session replication

On a web server that supports session replication, by modifying the configuration of the web server, the session can be synchronized to other web servers, so that each web server can save a consistent session.

Advantages: No support or modification is required on the code.

Disadvantages: It needs to rely on a supported web server. Once it is replaced with an unsupported web server, it cannot be used. In the case of a large amount of data, it will not only occupy network resources, but also cause delays.

Applicable scenario: It is only applicable to the situation where there are few web servers and the amount of session data is small.

Available solutions: open source solution tomcat-redis-session-manager, currently does not support Tomcat8

  • Session sticky

Each request of the user is forcibly distributed to a certain web server through a certain method. As long as the corresponding session data is stored on the web server, session tracking can be realized.

Advantages: Simple to use, no extra overhead.

Disadvantages: Once a web server restarts or goes down, the corresponding session data will be lost, and it needs to rely on a load balancing mechanism.

Applicable scenarios: business scenarios that do not require very high stability

  • Session centralized management

Use caching technology on a single server or server cluster, such as Redis to store session data, centrally manage all sessions, and all web servers access corresponding sessions from this storage medium to achieve session sharing.

Advantages: high reliability, reducing the resource overhead of the Web server.

Disadvantages: The implementation is a bit complicated and there are many configurations.

Applicable scenarios: There are many Web servers and high availability is required.

Available solutions: the open source solution Spring Session, or you can implement it yourself, mainly by rewriting the getSession method in HttpServletRequestWrapper

  • Cookie-based management

In this way, every time a request is made, the session data needs to be put in a cookie and passed to the server.

Advantages: No need to rely on additional external storage, no additional configuration required.

Disadvantages: insecure, easy to be stolen or tampered with; the number and length of cookies are limited, and more network bandwidth needs to be consumed.

Applicable scenarios: the data is not important, insensitive and the amount of data is small

[ These four methods, relatively speaking, Session centralized management is more reliable and most used]

Session centralized management solution should have the characteristics

A. The reading and writing speed of the intermediate storage medium is faster. The previous session management solution stored the session object in the server memory, which has a high read and write speed. After the centralized management of the session, network transmission will be introduced in the session read and write, and the speed will be reduced, so the intermediate storage medium must be guaranteed. read and write speed.

B. The intermediate storage medium should ensure high availability. After centralized session management, the session of the entire enterprise application will be stored in the intermediate storage medium. If the storage medium is unstable, the entire enterprise application will be unstable.

C. For session users, the session management scheme should be transparent, and users will not perceive it after switching to the centralized management scheme.

D. The session management scheme should not be coupled with a Web server, and should be applicable to all conventional Web servers.

According to the above standards, it can be seen that the technical selection of the session centralized management solution should be considered from the two aspects of session storage medium and management solution implementation.

Management plan realization

There are two commonly used Session centralized management solutions, one is Memcache-Tomcat-Session, and the other is Spring Session.

Memcache-Tomcat-Session is an open source solution based on Memcache and Tomcat to implement centralized session management. Session management is implemented by extending Tomcat's SessionManager and replacing Tomcat's default SessionManager in the configuration file. Although it is relatively simple to implement, it is coupled with Tomcat and not suitable for other web servers.

Spring Session is a set of Session management solutions provided by Spring. It intercepts all requests through a SessionFilter, and then uses the Request wrapper class to take over Session management. Spring Session is not coupled to a web server and can be used with regular servers. At the same time, it also provides functions such as unified browser multi-session.

Although Spring Session has many advantages, the amount of code to implement the Session management function is also relatively large, and it needs to be used in conjunction with Spring-data-redis. The learning cost is relatively large, and it is difficult to maintain when encountering problems.
write picture description here
References

https://www.jianshu.com/p/3dd4e06bdfa4

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325674085&siteId=291194637
Recommended
Ranking
go in memory leaks
django learning - Database Configuration - create a model
uni-app uses sqlite database
American technology tycoon exchanged his son's plasma to achieve "eternal youth"?
Development knowledge-mysql master-slave replication
app Login - remain logged && Login
20180413
数学建模学习笔记(三)拟合算法
Linux remote connection ssh prompts IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY to solve
Java Collections Framework source code analysis (5.2 - TreeMap, red-black tree insert)
Daily
More
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)
2024-04-16(23)
2024-04-15(5)
2024-04-14(0)
2024-04-13(18)
2024-04-12(5)

Code World

© 2018 codetd.com