Table of contents
2.1. The definition of session
3.3. Occupying server resources
4.4. token authentication principle
5. The difference between session and token
The HTTP protocol itself is stateless. What is statelessness? That is, the server cannot determine the identity of the user, that is to say, it cannot know who the object of the last request is, and session tracking technology must be used at this time .
Cookie is an effective means to solve the statelessness of HTTP. The server can set or read the information contained in the cookie. What is a cookie?
1. Introduction to Cookies
1.1. Definition of cookies
A cookie is a small piece of text saved on the user's browser by the web server, in the format: key=value, containing user-related information.
1.2. Principle of cookie authentication
1.3. Classification of cookies
1.3.1. Session cookie : It is stored in memory , and the cookie will be automatically cleared when the browser is closed .
2. Introduction to Session
2.1. The definition of session
Session is implemented by relying on Cookie. Session is a server-side object, which is a piece of storage space allocated by the server during the session between the browser and the server.
The server defaults to setting the sessionid in the cookie for the browser. The browser transmits the cookie containing the sessionid during the request to the server. The server obtains the information stored in the session according to the sessionid, and then determines the identity information of the session.
2.2.session session mechanism
Client A accesses the server, and the server stores A's data value;
Return the key to client A, and client A will bring the key (session ID) to access the server next time;
The server can give the data of client A.
If load balancing is done and client A accesses another server, the other server does not have client A's data
2.3. Disadvantages of Session
Disadvantages of the Session mechanism, such as: A server stores the Session, if load balancing is done ,
If the number of visits of A surges in a period of time, it will be forwarded to B for visits,
But the B server does not store the Session of A, which will lead to the invalidation of the Session.
3. The difference between cookie and session
3.1. Storage location
Cookie data storage: on the client browser or locally
Session data: can only be placed on the server
3.2. Security
Cookie: The security is poor, others can analyze the cookies stored locally and perform cookie spoofing to attack the website
session: relatively higher security
3.3. Occupying server resources
cookie: server performance consumption is small
session: It is stored on the server for a certain period of time. When the number of visits increases, it will take up more server performance . Considering reducing the pressure on server performance, cookies should be used
3.4. Storage space
Single cookie: the saved data cannot exceed 4K , and many browsers limit a site to save up to 20 cookies
session: There is no size limit related to the memory size of the server
3.5. Storage type
cookie: only objects of type String can be stored
session: can store any java object
3.6. Summary recommendations
Store important information such as login as Session ; if other information needs to be kept, it can be placed in Cookie
4. Token Introduction
4.1. Introduction of token
Token is when the client frequently requests data from the server , and the server frequently goes to the database to query the user name and password and compare them.
Judging whether the user name and password are correct or not, and making corresponding prompts, in this context, Token came into being.
4.2. Definition of token
Token is a string of strings generated by the server as a token for the client to request;
After logging in for the first time, the server generates a Token and returns the Token to the client;
In the future, the client only needs to bring this Token to request data, without having to bring the user name and password again.
4.3. Purpose of using Token
The purpose of Token is to reduce the pressure on the server, reduce frequent database queries, and make the server more robust.
4.4. token authentication principle
Token token : client A accesses the server, the server gives the client a token, client A takes the token to access the server, the server verifies the token, and returns the data corresponding to the token user
In short, Token is generated on the server side. If the front end uses the username/password to request authentication from the server, and the server authenticates successfully, then the server will return a Token to the front end. The front end can bring Token every time it requests to prove its legal status
5. The difference between session and token
- token is stored on the client side ; session is stored on the server side ;
- Token provides authentication and authorization functions. As identity authentication, token security is better than session , because each request has a signature and can prevent monitoring and replay attacks ; session must rely on the link layer to ensure communication security. If you need to implement For stateful sessions, you can still increase the session to save some state on the server side
- The token is not necessarily stored; the session is stored in the server, which increases the pressure on the server;
- The token can cross domains; the session cannot cross domains, it is bound to the domain name, and the scalability is not strong;
- token is suitable for front-end and back-end separation at the project level ( front-end and back-end codes run under different servers ); session storage is only applicable to client code and server code running on the same server
- token is time for space; session is space for time
- token is defined by development; session is specified by http protocol;
- Both token and session are for authentication, token is translated into token; session is translated into session
- Both token and session need to manage expiration time
App usually uses restful api to deal with server. Rest is stateless, that is, the app does not need to use cookies to save the session like Browser, so it is enough to use session and token to mark itself