The main difference between the cookie and sessiond
(1) , save a slightly different location
cookie data is stored on the client browser, the server is not saved. session data on the server, but also have a local memory.
(2) , different security
not as good as the security of cookie session. Because ordinary cookie stored on the local hard drive, hackers can fake url, etc. launched xss attack, get cookie local state of preservation of the hard disk, and then steal sensitive user information.
session is different, xss attack launched only when the user logs on this site in order to obtain session information, and then close the browser, session ie destruction, security is better than the cookie
(3) Different on cross-domain support
Cookie support cross-domain access, for example, the domain property to ".biaodianfu.com", places ".biaodianfu.com" to all domain name suffixes are able to access the Cookie. Cross-domain Cookie is now commonly used in the network, such as Google, Baidu, Sina and so on. The Session will not support cross-domain access. Session valid only within the domain where he is.
(4). Different pressures server
Session server side is kept, each user will have a Session. If concurrent access of users very much, will have very much Session, consume a lot of memory. Thus, like a high amount of concurrent access to sites such Google, Baidu, Sina, it is unlikely to use Session to track client session. Taking into account mitigating server performance, you should use COOKIE.
(5). Different ways of access
Cookie can only ASCII string storage, access demand if Unicode character or binary data needs to be encoded. Cookie also can not directly access Java objects. To store a little complex information, using the Cookie is a tough match.
The Session can be accessed in any type of data, including, without limitation, String, Integer, List, Map like. Session also be able to direct custody Java Bean as well as any Java class, object, etc., it is very easy to use. The Session can be seen as a Java container class.
(6). Cookie save content size is limited, single cookie stored data can not exceed 4K, many browsers are limited to a maximum of 20 sites saved cookie.
(7): session runs dependence session id, and session id is a cookie, that cookie if the browser is disabled, while the session will fail, (but the session can be achieved by other means, such as passing presence in the url session id)
(8): session can be placed in a file, database, or memory, the default is stored in a file, you can
(9): User authentication session usually used
$ _COOKIE browser cookie operations
设置cookie:setcookie(name, value, expire, path, domain);
获取cookie:$_COOKIE["user"];
Delete the cookie : setcookie ( "the User", "", Time () - 3600); // set the expiration time
$_SESSION 服务端session的操作
使用session前一定要session_start()启动session
储存session:$_SESSION["name"]="King";//数组操作
销毁session:unset($_SESSION["name"]);//销毁一个
session_destroy()和unset($_SESSION);//销毁所有的session
Cookie概念
在浏览某些 网站 时,这些网站会把 一些数据存在 客户端 , 用于使用网站 等跟踪用户,实现用户自定义 功能.
cookie伪造
你的第三方应用端的cookie被恶意的用户截取到,然后向服务器端发送,并且通过验证,他们就会冒充用户进行登录,这就是cookie伪造
防cookie伪造:
现在更通用的做法是使用session来标识用户,也就是说我们为每个第三方应用端生成一个唯一的id,然后在服务端存储这个id所对应的状态。
这样cookie里面仅仅保存了这个id,而没有任何其他的东西。而且这个id往往还有个特性,它是随机生成,且每次登陆都会产生一个新的。这样就更降低了信息泄漏的风险。
Session的概念
Session 是存放在服务器端的类似于HashTable结构来存放用户数据;
作用:实现网页之间数据传递,是一个存储在服务器端的对象集合。
原理:当用户请求一个Asp.net页面时,系统将自动创建一个Session;退出应用程序或关闭服务器时,该Session撤销。系统在创建Session时将为其分配一个长长的字符串标识,以实现对Session进行管理与跟踪。
客户端禁掉 cookie后session还能用吗
Cookie和session都是用来实现会话机制的,由于http协议是无状态的,所以要想跟踪一个用户在同一个网站之间不同页面的状态,需要有这么一个机制----会话机制。
Cookie:将会话信息的保存到浏览器端。Session:将会话信息保存到服务器端。
session默认情况下是基于cookie的,对于session来说,每生成一个sessionid,都会将其发送到浏览器端,让后将其保存到cookie当中。
一般Session是用Session ID来确定当前对话所对应的服务器Session,而Session ID是通过Cookie来传递的,禁用Cookie相当于失去了Session ID,也就得不到Session了。
但是可以通过其他方式来存储sessionID,eg:redis或文件里。
在存储session的文件中,生成sessionID,通过get传参的方式将sessionID传到要实现session共享的页面,读取sessionID,从而从session中获取数据。
session默认的生存时间
php中session过期时间设置
1、修改php配置文件中的session.gc_maxlifetime
2、<?php
session_start();
// 保存一天
$lifeTime = 24 * 3600;
setcookie(session_name(), session_id(), time() + $lifeTime, "/");
?>
3、其实 Session 还提供了一个函数 session_set_cookie_params(); 来设置 Session 的生存期的,该函数必须在 session_start() 函数调用之前调用:
<?php
// 保存一天
$lifeTime = 24 * 3600;
session_set_cookie_params($lifeTime);
session_start();
$_SESSION["admin"] = true;
?>
session_id 和 服务器的session文件的关系
Session_id 和session同时生成,并且session文件是以session_id所命名
php在储存session以什么形式存在
PHP为session的存储提供了三种方式: 文件/ 内存/ 自定义存储,默认是使用文件存储.在访问量大的网站上采用这种方式就不大合适,因为这样会导致大量的输入输出的冗余.我们可以在php.ini更改配置文件或者php脚本中通过相应的函数来设置session文件的存储类型来改变session文件的存储形式
比你优秀的人不可怕,可怕的是比你优秀的人比你更努力