Cookie / Session Detailed
First of all, it is recommended Wireshare packet capture tool, which you can see the HTTP request details, learn Cookie and Session is not so abstract when.
1.1 Why do we need Cookie / Session
HTTP is a stateless protocol, what is stateless, sounds a bit obscure. The following from the HTTP process to explain the protocol, HTTP protocol is the use of request / response mode, after the request and response, link the client and server will shut down again when the client requests the server can not get the last link from the server Information. Therefore, we can not understand the state as a "forgetful or without memory." I see that a lot of people on the blog, HTTP protocol is stateless, can not be maintained before and after the connection, this argument is wrong, in fact, there are many implementations, the method just prior to the adoption of a lot of trouble. For example, we need to save certain information, in response to each request can be put on such information. This method is really troublesome, resulting in many cases had to spend a lot of energy to hold a series of information up and down the connection.
Any emergence of technology was to solve the problem, then how do we solve these problems? This time we have an idea, this information centrally stored together, then ID to obtain this information, as we will save this information where it. There are two options, one is stored in the client, the other is stored in the server side, the corresponding two Cookie technology and Session techniques. for example. Suppose every time I come home, high-speed rail station from home, first by bus and then take the subway. This is the most traditional way is to pay cash, the money is stored in the client, there are security risks in this way, we can be out of money. Consider a more advanced way, everyone has a city card accounts, payment method using fingerprint recognition payments, money is saved on the server side, then do not worry about missing the question.
1.2 Cookie principles
When we asked the server, Cookie is generated by the server, the response is returned to the client (usually a browser), the browser will Cookie of key / value saved to a file in a directory, in javaweb development , usually JSESSIONID to mark Cookie , thus ensuring that every Cookie uniqueness, the next request the same site, the browser can send Cookie to the server, provided that the front-end browser is set to enable Cookie, Cookie name and value can They have developed their own definitions on the server side. In development we may encounter multiple applications public Cookie issue front and back cross-domain and cross-domain separation, leading Cookie not read this online by the detailed solutions, where the much talked about.
1.3 the Session of principle
Session is generated by the server and stored in the server, the client how to get in the session Session information, it is generally used cookie achieve, in javaWeb when the server creates a good development Session , the first response when It will be in Set-cookie passed in a JSESSIONID value, then the next request to bring JSESSIONID get the last request of the session , provided that the Session has not failed. When the browser to disable the Cookie , the rewrite can use URL manner.
1.4 Cookie and Session contrast
In fact, Cookie and Session abstract all sessions, but not the same way to achieve, both have their advantages and disadvantages:
Cookie can reduce the burden on the server, and storage time can be set very long; but safety for now worse, when the user disables Cookie Unable to maintain session.
Session stored in the server, security is relatively high point, the client is disabled Cookie , you can still maintain session; however Session in general can not be saved for too long, too much pressure on the server.