A, Cookie definition
Refer to certain websites in order to identify the user's identity, a session tracking data stored on the user's local terminal (usually encrypted). This means that if a user knows of Cookie, Cookie and within the effective period of time, you can use the Cookie to the user logged in to the site.
The difference between the session cookie and persistent cookie?
If you do not set an expiration time, it means that the cookie life cycle during a browsing session, simply close the browser window, cookie disappeared. This period of life of the browsing session cookie is called a session cookie. General session cookie is not saved on the hard disk, but kept in memory.
If you set the expiration time, the browser cookie will be saved to your hard drive, open the browser again after closing, these cookie remain valid until the expiration time exceeds the set.
Cookie stored on the hard disk can be shared between different browser process, such as two IE windows. For cookie stored in memory, different browsers have different approach.
二、session
1, session different meanings in different contexts
the session, often translated into Chinese session, its original meaning refers to a series of operations / message beginning and an end, such as dialing the phone call is picked up from the middle to hang a series of processes can be called a session. However, when the term session protocol associated with the network, it often implies a "connection-oriented" and / or the meaning of two such "hold."
Semantic Web session in the development environment has a new extension, its meaning refers to a class of solutions used to maintain state between client and server. Sometimes Session also used to refer to the storage structure of such a solution.
2, session mechanism (will elaborate below)
session mechanism is a mechanism for the server, the server uses a structure similar to the hash table (also probably use a hash table) to store information. But the program needs to create a session for the request of a client, the server first checks the client's request contains a session identifier - called session id.
If you already contains a session id has previously been created for this client session, the server according to this session session id is retrieved using the instructions (if not retrieved, may create a new, this situation may occur on the server have been deleted corresponding to the user session object, but the end of the URL the user requested additional artificially in a JSESSION parameter).
If the client request does not contain the session id, a session is created for this customer and this generates a session associated with the session id, the session id is returned to the client stored in this response.
3, the difference between the mechanism and the session cookie mechanisms
cookie mechanism uses a client program on hold, but the mechanism used to maintain session state on the server side program.
Three, Cookie and Session, SessionID relationship
sessionid is a session key, the browser first accesses the server generates a server-side session, there is a sessionID and it corresponds to, and returned to the browser, the sessionID will be saved in the session cookie in the browser. sessionID generated tomcat named jsessionID.
tomcat server sessionID access the HttpServletRequest getSession (true) when created, tomcat of ManagerBase class provides methods to create sessionID: random number + time + jvmid. The Tomcat StandardManager session classes stored in memory, may be persisted to the File, database, memcache, redis like.
The client only to save sessionID cookie, but not saved session. session will not close the browser and delete, can only be called HttpSession.invalidate () or through a timeout in order to destroy the program.
The session id is coming from, how sessionID is used?
When the client session object first request, the server creates a session for the client, and the session ID is calculated through a special algorithm to identify the session object.
session stored?
Server memory. But you can do session persistence management (memcache, redis) by a special way.
session is deleted in the following cases:
- Program calls HttpSession.invalidate ()
- Session id received from the last time the client sends a session interval exceeds the maximum effective time
- The server process is stopped
note:
- The client only to save sessionID cookie, but not saved session.
- Close the browser will only make the session cookie stored in the client browser memory failure, does not make the session object server failure, will also not have been saved to a persistent cookie on your hard drive disappeared.
Lifecycle session cookie and session object is the same as you?
When the user closes the browser, although the session cookie is gone, but the session object still stored on the server side.
Session and when created it?
A common mistake is to think that session is created when there is client access, but the fact is that a server will not be created until the end of the program (such as Servlet) call such a statement HttpServletRequest.getSession (true) time.
At the same time create a Session, the server generates a unique Session id for the Session, and this Session id in subsequent requests will be used to regain Session has been created; after the Session is created, you can call the relevant Session methods to increase the content of Session, which will save the contents in the server, send to the client only Session id; then when the client sends a request again, will bring this Session id, the server receives the request will find the corresponding Session based on Session id, so use it again.
Open two browser windows to access the application will use the same session or a different session?
Usually session cookie can not be used across the window, when you open a new browser window to enter the same page, the system will give you a new session id, the purpose of sharing information so that we can not reach the.
At this point we can put in the session id stored in a persistent cookie (session by setting the maximum effective time), and then read out in a new window, you can get a window on the session id, so by the session cookie and persistent cookie we can achieve a combined session tracking across the window.
Fourth, the client with the sessionID cookie saved
The client with the sessionID cookie saved, when we request to the server, the server will send this sessionID together, the server memory to search for the corresponding sessionID, if the corresponding sessionID find that we signed in, there is a corresponding authority; if the corresponding sessionID not found, indicating that: either we turn off the browser (will explain why later), or overtime session (server does not request more than 20 minutes), the server session is cleared, the server you assign a new sessionID. You have to log back in and put the new sessionID stored in a cookie.
In the absence of the browser to turn off (this time if've saved in a cookie the sessionID) This sessionID would have been saved in the browser, every request will be submitted to the sessionID to the server, so the server I think we are login; of course, if there is no request too long the server, the server will think that we have so the browser to turn off, and this time the server will sessionID removed from memory, this time if we go to the requesting server, has sessionID does not exist, so the server was not found in the memory corresponding sessionID, then it will produce a new sessionID, this time in general we have to to log in again.
Fifth, the client does not use a cookie to save sessionID
This time (whether before time if we request to the server, because there is no submission sessionID up, the server will think you are a new request, the server will give you assign a new sessionID, which is why every time we open a new browser we have not logged in) will have a new sessionID (or let us re-login).
When we turn off once the browser, then re-open the browser requests the page, it will enable us to log on, this is why? We obviously have logged in, but has not timed out, sessionID is certainly still on the server, why do we have to log in again? This is because when we turn off the browser request again, we have submitted information submitted to the server did not just sessionID together, so the server does not know that we are the same person, so when the server has assigned a new sessionID for us to make a For example: the browser is like a man going to open a bank account, and the server is like the bank, the bank accounts of people going to this time apparently did not account (sessionID), so the bank after bank staff asked whether or not the account, he He said no, this time it will open a bank account (sessionID) for him. It can be said that every time you open a new browser when a page request to the server will think that this is a new request, he was assigned a new sessionID for you.
Since the content of the discussion