The relationship and difference between cookie, session, token and webStorage

	cookie	session	token	sessionStorage	localstorage
concept	A kind of data that can be permanently stored in the browser is only a data storage function implemented by the browser.	Session saves the data generated in the session on the server side, and is a server-side technology	token is also called token, with uid+time+sign[+fixed parameters]	A new client-side local data storage method (Web Storage) provided by HTML5 is divided into: LocalStorage and SessionStorage, which allows JavaScript to save data in the form of key-value pairs in the web browser
life cycle	Generated by the server, the expiration time can be set. If a cookie is generated on the browser side, it will expire after closing the browser by default	The server uses the session to temporarily save the user's information on the server, and the session will be destroyed after the user leaves the website	The token is time-sensitive, and the user needs to re-authenticate after a period of time. And the token has a revocation operation, through token revocaion can invalidate a specific token or a group of tokens with the same authentication	Valid in the current session, and will be cleared after closing the page or browser	Unless manually cleared by the user, it is permanently saved in the browser
relationship with the server	The cookie token, loaded with sessionId, is stored on the client, and the browser usually adds it automatically and carries it in the HTTP request header	The session is stored on the server and has a unique identifier sessionId (stored in the client's cookie). After receiving the cookie, the server parses out the sessionId, and then searches in the session list to find the corresponding session	Token is also called a token, which has uid+time+sign[+fixed parameters]. User information is encrypted into the token, and the server can know which user it is after decrypting it after receiving the token. Need to be manually added by the developer	It is only saved in the client (browser), and does not participate in communication with the server
Store data size	4KB	Unlimited storage size	/	5MB
safety	There is a risk of XSS injection	cookie+session can achieve user authentication, but cannot resist CSRF (cross-site request forgery)	Can resist CSRF	There is a risk of XSS injection
To sum up the difference	A cookie is some basic information stored on the client, and the service does not save it. The client brings a cookie with each request, which may contain account information, browsing records, etc.	The session is saved locally by the service and sent to the client. The client carries it with each visit and directly compares it with the session of the service.	The token is calculated and sent to the client by the service, and the service does not save it. Every time the client requests, it is verified by decryption and other calculations whether it is issued by itself.
reference link	(3 messages) Where does the cookie exist?_The difference between cookie, session and token_weixin_39911916's blog-CSDN blog	(3 messages) The difference between server-side Session and client-side Session, and cookie_Yitiantian's Blog-CSDN Blog	Thoroughly understand cookie, session, token - Zhihu (zhihu.com) What is the difference between session, cookie and token? - Nuggets (juejin.cn)	Detailed Explanation of SessionStorage and LocalStorage - Grape City Technical Team - Blog Garden (cnblogs.com)