The Cookie mechanism is for the client to save the state, and the Session mechanism is for the server to save the state.
Advantages and disadvantages:
Cookies: Advantages: Extremely scalable and usable. With good programming, control the size of the session object stored in the cookie. Through encryption and secure transmission technology (SSL), the possibility of cookies being cracked is reduced. Only store insensitive data in cookies, even if it is stolen, there will be no major loss. Control the lifetime of the cookie so that it does not last forever. The thief is likely to get an expired cookie.
Disadvantages: Limits on the number and length of cookies. Each domain can only have up to 20 cookies, and the length of each cookie cannot exceed 4KB, otherwise it will be truncated. security issues. If the cookie is intercepted, that person can get all session information. Even encryption doesn't help, because the interceptor doesn't need to know the meaning of the cookie, he can just forward the cookie as it is. Some state cannot be saved on the client side. For example, to prevent repeated form submissions, we need to keep a counter on the server side. If we keep this counter on the client side, it won't do anything.
Session: Advantage: If you want to pass a variable between many Web pages, then using the Session variable can simplify the problem rather than passing the variable through a QueryString. To make a WEB site customizable, consider using Session variables. You can use the session variable directly whenever you want to use it without declaring it in advance, which is close to the use of variables in VB. You also don't have to think about releasing it when you're done using it, as it will be released automatically.
Disadvantage: Session variables and cookies are the same type. If a user sets their browser to be incompatible with any cookies, the user cannot use this Session variable! When a user visits a page, the runtime environment of each Session variable is automatically generated, and these Session variables can remain for 20 minutes after the user leaves the page! (In fact, these variables persist until "timeout". The length of the "timeout" is set by the web server administrator. Some sites have variables that persist for only 3 minutes, some for 10 minutes, and some for to the default value of 20 minutes.) So, if you put larger objects (such as ADO recordsets, connections, etc.) in the Session, you are in trouble! As the traffic to the site increases, the server will not function properly! Because the creation of session variables is very arbitrary, it can be called at any time, and does not require developers to do precise processing. Therefore, excessive use of session variables will cause the code to be unreadable and difficult to maintain.
Cookies are not cross-domain. According to the cookie specification, browsers accessing Google will only carry Google's cookies, but not Baidu's cookies. Google can only operate Google's cookies, but not Baidu's cookies. The Session object is created when the client first requests the server. The S ession mechanism determines that the current client will only get its own Session, but not other people's Sessions. The sessions of each client are also independent of each other and invisible to each other . The use of sessions is more convenient than cookies, but too many sessions are stored in the server memory, which will put pressure on the server.
Table 1.1 Common Cookie Attributes
| property name |
Depiction |
| String name |
The name of this cookie. Once the cookie is created, the name cannot be changed |
| Object value |
该Cookie的值。如果值为Unicode字符,需要为字符编码。如果值为二进制数据,则需要使用BASE64编码 |
| int maxAge |
该Cookie失效的时间,单位秒。如果为正数,则该Cookie在maxAge秒之后失效。如果为负数,该Cookie为临时Cookie,关闭浏览器即失效,浏览器也不会以任何形式保存该Cookie。如果为0,表示删除该Cookie。默认为–1 |
| boolean secure |
该Cookie是否仅被使用安全协议传输。安全协议。安全协议有HTTPS,SSL等,在网络上传输数据之前先将数据加密。默认为false |
| String path |
该Cookie的使用路径。如果设置为“/sessionWeb/”,则只有contextPath为“/sessionWeb”的程序可以访问该Cookie。如果设置为“/”,则本域名下contextPath都可以访问该Cookie。注意最后一个字符必须为“/” |
| String domain |
可以访问该Cookie的域名。如果设置为“.google.com”,则所有以“google.com”结尾的域名都可以访问该Cookie。注意第一个字符必须为“.” |
| String comment |
该Cookie的用处说明。浏览器显示Cookie信息的时候显示该说明 |
| int version |
该Cookie使用的版本号。0表示遵循Netscape的Cookie规范,1表示遵循W3C的RFC 2109规范 |
表1.2 HttpSession的常用方法
| 方 法 名 |
描 述 |
| void setAttribute(String attribute, Object value) |
设置Session属性。value参数可以为任何Java Object。通常为Java Bean。value信息不宜过大 |
| String getAttribute(String attribute) |
返回Session属性 |
| Enumeration getAttributeNames() |
返回Session中存在的属性名 |
| void removeAttribute(String attribute) |
移除Session属性 |
| String getId() |
返回Session的ID。该ID由服务器自动创建,不会重复 |
| long getCreationTime() |
返回Session的创建日期。返回类型为long,常被转化为Date类型,例如:Date createTime = new Date(session.get CreationTime()) |
| long getLastAccessedTime() |
返回Session的最后活跃时间。返回类型为long |
| int getMaxInactiveInterval() |
返回Session的超时时间。单位为秒。超过该时间没有访问,服务器认为该Session失效 |
| void setMaxInactiveInterval(int second) |
设置Session的超时时间。单位为秒 |
| void putValue(String attribute, Object value) |
不推荐的方法。已经被setAttribute(String attribute, Object Value)替代 |
| Object getValue(String attribute) |
不被推荐的方法。已经被getAttribute(String attr)替代 |
| boolean isNew() |
返回该Session是否是新创建的 |
| void invalidate() |
使该Session失效 |
Tomcat中Session的默认超时时间为20分钟。通过setMaxInactiveInterval(int seconds)修改超时时间。可以修改web.xml改变Session的默认超时时间。例如修改为60分钟:
<session-config>
<session-timeout>60</session-timeout> <!-- 单位:分钟 -->
</session-config>
注意:<session-timeout>参数的单位为分钟,而setMaxInactiveInterval(int s)单位为秒。
Cookie可以实现永久登陆,Session可以实现用户登陆。