We mentioned features of the HTTP protocol: connectionless, stateless . No connection time overhead brought with HTTP / 1.1 persistent connection introduces a mechanism has been resolved. Now let's focus on its "stateless" feature.
So-called stateless , meaning the server does not record user information, not for transaction processing and memory, can not deal with this request according to the state before. While doing so simplifies the design of the server, but the actual work, but I do hope some of the World Wide Web network can identify the user to record some of the behavior of the user, such as shopping site, users in the Pick an item, but also continue to buy other items, At this point the server want to remember the user's identity. For another example, a user login page, stateless means that every time a new page is not to jump to log in again, is to each request packet additional parameters to manage login state, is bound to cause some problems.
Cookie and Session is in between the client and server to maintain state solution, it makes up for HTTP stateless defects.
To understand the Cookie and the Session, first consider an example ( from the network, it is noted ):
A coffee shop drink five cups of coffee a cup of coffee free gift offers, however, a one-time opportunity to consume five cups of coffee a little, then we need some way to record levels of consumption by customers. Imagine fact, nothing less than the following several options:
- The store clerk is very powerful, able to remember the amount of consumption of each customer, as long as the customer entered the coffee shop, the clerk will know how to treat a. This approach is the protocol itself supports state .
- Give customers a card that records the amount of consumption, there is a general effective date. Each time the consumer, if customers show this card, then the consumer will be linked up with before or after consumption. This approach is in keeping client state .
- Give customers a membership card, in addition to the card number does not record what information each time the consumer, if the customer shows the card, the clerk found the card number corresponding to the record to add some consumer information in this record store. This practice is on hold on the server side .
This example can be said to be the very image almost instantly understand the difference between Cookie and Session, first of all, HTTP protocol for simple and flexible, itself is stateless, so do not want to set it to have a state, denied method. Therefore, in order to maintain state only Method II and Method three, that is to say: the client on hold and keep the state on the server side are two, which corresponds exactly to the Cookie and Session both solutions. At the same time, the use of server-side program on hold in the client also needs to save a logo, so session cookie mechanisms may need the help of mechanisms to achieve the purpose of preservation of identity , but in fact this is not the only way.
1, Cookie mechanism
First, Cookie is a client on hold approach. When a client requests the server for the first time, the server will generate some state information, and then give the client a response message to add a header field: "Set-cookie", the name is "Set-cookie", is Cookie content, so information on these states as a response message back to the client, when the client receives this response, you add a line in the Cookie file it manages, a Cookie these values recorded. Then, when this client time to explore the site, each sending a HTTP request message, it will remove the line corresponding to the content in the Cookie file, into the header line, sent together to the server, then the server will know Some state before the client information.
Specifically, cookie contents include: name, value, expiration time, path and domain . Together constitute the path region of the cookie. If the expiration time is not set, it means the lifetime of the cookie during the browser session, the browser window is closed, and the cookie disappears. The life cycle of the browser session cookie is called a session cookie . Session cookie is typically not stored on the hard disk, but stored in memory. Cookie is stored on the hard disk can be shared between different browser process.
Of course, this Cookie is actually recorded some user behavior on the Web, which is a personal privacy, to give the user freedom to refuse to accept the Cookie, the browser can be set accordingly to close the Cookie.
2, Session mechanism
For Session session mechanism, in fact, we had the previous example is not difficult to understand, it is a server-side state maintenance mechanism, such a structure is similar to a hash table to hold information.
When a program needs to create a session to the client's request, the server first checks whether the client's request contains a session identifier (called a session ID). If you include it, it has been previously this client creates a session. Server (can not be retrieved, it will create a new session) retrieval session according to the session ID, if the client request does not contain a session ID, compared with the client to create a session and generates a session ID associated with the session. a session id should be neither easy nor repeated string to be copied. The session ID back to the client to save the response.
Then the Session Id how to return it to the client, which can be used the way the cookie and place it in the header row back to the client to save, if you disable Cookie, URL rewriting method can be adapted to append to the URL ID returned to.
3, Cookie and Session Comparison
To sum up then, we look at the difference between Cookie and Session where is.
- Different storage locations. Cookie state information maintained at the client, Session stored in the server, which is the biggest difference.
- Different data types . Only ASCII strings can be stored in a cookie, and Session by way hash table you can save any type of data.
- Privacy and security different. Cookie stored in the client reader, the client is visible, and therefore may produce camouflage and other security issues, so try not to use Cookie to store sensitive information, or take encryption method, and Session session stored on the server, the client It is transparent. The risk of sensitive information leakage does not exist.
- Differences validity. The Cookie expiration time is set to a large value can be achieved permanent record information, Session Id may rely Cookie, if the time is too short, Session will soon fail, and the expiration time is too long, will make the server side accumulate a large amount of Session, leading to memory overflow.
- Different servers pressure. Session retained in the server, each user will generate a session. If there are many concurrent users, it will generate a lot of Session and consume large amounts of memory. Therefore, sites with high concurrent traffic are unlikely to use Session to track client session. The Cookie remains on the client, do not consume server resources. If there are many users to read the same time, the cookie is a good choice, such as Google, Baidu, Sina, cookies may be the only choice.
- Single cookie limit client is 3K, a site that is stored in a cookie client can not exceed 3K.
Reference links:
https://www.cnblogs.com/lonelydreamer/p/6169469.html
https://baijiahao.baidu.com/s?id=1612804856429135825&wfr=spider&for=pc