1、Session和Cookie
Session : A scheme for maintaining state on the server side .
stored on the server.
If the browser disables cookies, how do I pass the session id back to the server? Put on the request URL or hide in the form.
In the case of too many requests, too many session ids are stored on the server side, which will affect performance.
Session is generally used to store important information such as login information.
Cookie : A scheme for maintaining state on the client side .
stored in the client's browser.
If you do not set a timeout, close the browser, and the cookie will disappear (this type of cookie is called a session cookie and is stored in memory);
If a timeout is set, the cookie is saved on the hard disk.
Because it is stored on the client side, it is easy to be counterfeited and not safe.
The size of the cookie is limited and cannot exceed 3K.
Cookies are generally used to store non-important information that is necessary to store.
2. Understand Single Sign On (SSO, Single Sign On)
For each enterprise, there will be a variety of new and old application systems. Of course, these systems have their own architecture, business and data storage systems used. The old system can't be thrown away, so use it all the way, right? So many systems mixed together, what is the problem for enterprises? The first impression is that it is messy and inconvenient to maintain. Here comes a name EAI (Enterprise Application Integration), which includes business integration, data concentration, etc., of course, it also includes a very important identity authentication (SSO), SSO is what we need to know .
SSO is single sign-on, which unifies the identity authentication of all related application systems. Users only need to log in once to access all mutually trusted application systems.
So what are the benefits of SSO?
Logging in only once brings a better user experience, in addition to reducing security risks and management costs.
What is the technical implementation mechanism of SSO?
We can make an analogy: we know that for various scenic spots across the country, when we go to play, we need to buy tickets for each item. If there are too many items, is it very troublesome to buy tickets every time? So can we just buy a ticket once and visit all the attractions? The answer is yes.
The technical implementation mechanism of SSO : access multiple application systems, when we access one of them, the independent authentication system verifies user information and generates a unique ticket (ticket) return; when we access another application system, it will With a unique identification ticket, it is identified by an independent authentication system to determine whether it can access other application systems.
The technical implementation mechanism diagram is understood as follows:
If we want to implement an SSO, we need to do the following things:
1. A unified identity authentication system shared by all application systems;
2. All application systems can identify and extract unique identification information tickets;
The simplest SSO can be implemented through cookies. The authentication system generates a unique identification ticket, which is passed between different application systems. However, the SSO implemented by cookies has great limitations in terms of security, functions and performance methods: such as the security protection of cookies, the support of authentication methods, the performance of resource access filtering, and so on.
Summary: The understanding of single sign-on is very simple. If it is really implemented, if you want to make a perfect solution, there are still many aspects that need to be considered: security, authentication support (digital certificate, SecurId and other authentication) and so on. It appears that there is still a lot of work to be done to really understand and master single sign-on.