Author | GeTui web front-end architect Jiang Jiting
In technical interviews, people are often asked to "talk about the difference between cookies and sessions". As we all know, sessions are stored on the server side and cookies are stored on the client side. However, if you were asked to explain in more detail, what can you say? What time is it? Today, I will talk to you about "Cookie and Session".
What are cookies?
From the meaning of its word itself:
Cookie:
n. biscuits; small desserts
N-COUNT A cookie is a piece of computer software which enables a website you have visited to recognize you if you visit it again.
Cookie is a mechanism for the client to save user information, which is used to record some information of the user. How to identify specific customers? Cookies can do it. Each time an HTTP request is made, the client will send the corresponding cookie information to the server. Its expiration time can be set arbitrarily. If you do not actively clear it, it can be retained for a long time, even if you shut down the computer in between.
Since it is stored on the client side, in other words, I can tamper with the locally stored information to deceive some policies on the server side by some means, so what should I do? Let's press the table first and take a look at another friend - Session.
What is Session?
Again, let's look at the definition first:
Session:
Common Interpretation: n. Meeting;
Computer Definition: Conversation
Session is a mechanism used to identify a specific user when the server records the user state under the stateless HTTP protocol. It is a data structure stored on the server to track the user's state, which can be stored in a file, database or cluster. This session disappears after the browser is closed, and the session is no longer available the next time it is opened. In fact, it is not that the Session has disappeared, but that the Session ID has changed. The server may still store your last Session ID and its Session information, but they are in an unowned state and may be deleted after a period of time.
In fact, both Cookie and Session are a way of session. Their typical usage scenarios are such as "shopping cart". When you click the order button, the server does not know the specific operation of the specific user. In order to identify and track the user and know how many items are in the shopping cart, the server uses the The user creates a Cookie/Session to obtain this information.
If your site is deployed on multiple nodes and uses Nginx for load balancing, there may be a case of session loss (for example, suddenly not logged in). At this time, IP load balancing can be used (IP is bound to ip_hash, and each request is allocated according to the hash result of accessing ip, so that each visitor can access a backend server fixedly, which can solve the problem of session), or store session information in the cluster . In a large-scale website, there is generally a dedicated Session server cluster to store user sessions. In this case, a cache service such as Memcached or Redis can be used to store the Session.
At present, most applications use cookies to implement session tracking. When a Session is created for the first time, the server will feed back to the client through the HTTP protocol, and a Session ID needs to be recorded in the Cookie, so that you can distinguish who you are every time you request in the future. Someone asked, what if the client's browser has cookies disabled? It is recommended to use URL rewriting technology for session tracking, that is, for each HTTP interaction, parameters such as sid=xxxxx are appended to the URL so that the server can identify the user accordingly.
Change your posture~
The communication between the client and the server can be simply understood as follows:
For example, when you think a lecturer speaks very well in a technical sharing salon, you ask him a few questions after the meeting, and he answers your questions. This is a conversation. But the lecturer was too popular, so the staff collected questions and gave each questioner a number plate. The lecturer gave the corresponding answers in turn according to the number plate and told the corresponding person. This is Session. After a period of time, when you meet the lecturer again, he finds that you have the answer from the last reply, and knows that you are that studious programmer. So you are ecstatic, wow, the lecturer actually recognized me, this is Cookie, your little dessert. The client is like a technology enthusiast listening to a class, and the server is the lecturer.
Cookies can also be used in some user-friendly scenarios. For example, you have logged in to a website once, but you don’t want to enter your account again when you log in next time. What should you do? This information can be written into the cookie. When visiting the website, the script of the website page can read this information and automatically fill in the user name, which is convenient for the user to use and gives the user a little sweetness.
Conclusion:
1. Cookie is on the client side (browser), and Session is on the server side.
2. The security of cookies is general. Others can deceive the cookies by analyzing the cookies stored locally. Under the premise of safety first, it is better to choose Session. Important interactive information such as permissions should be placed in the session, and general information records should be placed in cookies.
3. The data saved by a single cookie cannot exceed 4K. Many browsers limit a site to save a maximum of 20 cookies.
4. Session can be placed in a file, database or memory, such as saving the Session in redis when using Node. Since it is stored on the server for a certain period of time, when the access increases, it will greatly occupy the performance of the server. Cookies should be used when appropriate in view of reducing server performance.
5. The operation of the Session depends on the Session ID, and the Session ID exists in the Cookie, that is, if the browser disables the Cookie, the Session will also be invalid (but it can be achieved in other ways, such as passing the Session ID in the url).
6. Session is generally used for user authentication in this case. Therefore, the core of maintaining a session is the unique identification of the client, that is, the Session ID.
题外话,那么话说Session Cookie能被篡改么?
理论上可以,只要改变了连接时的Session ID 就可以了~