Difference Session, Cookie's

1. Why should session appear?

A: Yes, because the network caused by the http protocol, because http itself is a stateless protocol, so you can not determine this request and the last request is not what you sent. If you want to log in similar forums related operations, it will not be realized.

2. session generating way?
A: The first time a browser accesses the server, the server will create a session, then while generating a unique session key for the session, that is, sessionid, then the sessionid and the corresponding session are saved to the cache as a key and value It can also be persisted to the database, and the server then sessionid, sent in the form of a cookie to the client. In this way the next time the browser access, directly with the cookie sessionid. The server then find the corresponding session matching according sessionid;
there is a browser cookie is disabled or not supported by cookie, which can be sent to the server via URL rewriting way;

Simply put, when a user visits that he himself is Joe Smith, he lied to you how to do? That information is stored on the server side of Joe Smith, giving him a id, id visit with him next time.

3. Why is there a token appearance?
A: First, session storage space is required, and secondly, session transfer generally to pass through a cookie, or url rewrite the way; and token server is not required to store user information, and the token transfer mode is not limited to the transfer cookie, of course, token also can save up;

4. token generation way?
A: The first time a browser to access the server, based on the unique identifier userId passed over, the server will pass some algorithms, such as the commonly used HMAC-SHA256 algorithm, and then add a key to generate a token, then look after the BASE64 encoding the token is sent to the client; client token saved, the next request with the token, the server receives the request, and will use the same algorithm and key token to verify, if adopted, performs traffic operations, not by returned information does not pass;

5. token and a session of the difference?
token session and in fact for authentication, session generally translated into a session, but more time is translated as token token;
session server saves a copy may be saved to the cache, files, databases; likewise, session and token are there is a saying expiration time, we need to manage the expiration time;
in fact, the problem is the session token and the game with a time-space problem, session is space for time, and the token is the time for space. Select both depends on the specific circumstances.

While it is true is "client records, carry each visit," but token easily designed to be self contained, that is, the back end does not need to record something, every time a stateless request, decryption validation every time, every the-spot draw legal / illegal conclusions. All this is determined based on, in addition to curing some logic CS beyond both ends, the whole message is self-contained. This is the real stateless. 
The sessionid, usually a random string, you need to retrieve the id to the back end of validity. In case the server restarts cause memory in the session did not it? In case redis server hang of it? 

Option A: I sent you an identity card, but only a piece of paper that read ID number. Every time you come work, I went backstage to check your id is not valid. 
Program B: I sent you an encrypted ID card, after you just present this card, I know you must be one of us. 
On such a difference.

The token may be used in reference: json web token (JWT)

 
Reprinted from: https://www.cnblogs.com/test_home_c/p/10137701.html

A: Yes, because the network caused by the http protocol, because http itself is a stateless protocol, so you can not determine this request and the last request is not what you sent. If you want to log in similar forums related operations, it will not be realized.

2. session generating way?
A: The first time a browser accesses the server, the server will create a session, then while generating a unique session key for the session, that is, sessionid, then the sessionid and the corresponding session are saved to the cache as a key and value It can also be persisted to the database, and the server then sessionid, sent in the form of a cookie to the client. In this way the next time the browser access, directly with the cookie sessionid. The server then find the corresponding session matching according sessionid;
there is a browser cookie is disabled or not supported by cookie, which can be sent to the server via URL rewriting way;

Simply put, when a user visits that he himself is Joe Smith, he lied to you how to do? That information is stored on the server side of Joe Smith, giving him a id, id visit with him next time.

3. Why is there a token appearance?
A: First, session storage space is required, and secondly, session transfer generally to pass through a cookie, or url rewrite the way; and token server is not required to store user information, and the token transfer mode is not limited to the transfer cookie, of course, token also can save up;

4. token generation way?
A: The first time a browser to access the server, based on the unique identifier userId passed over, the server will pass some algorithms, such as the commonly used HMAC-SHA256 algorithm, and then add a key to generate a token, then look after the BASE64 encoding the token is sent to the client; client token saved, the next request with the token, the server receives the request, and will use the same algorithm and key token to verify, if adopted, performs traffic operations, not by returned information does not pass;

5. token and a session of the difference?
token session and in fact for authentication, session generally translated into a session, but more time is translated as token token;
session server saves a copy may be saved to the cache, files, databases; likewise, session and token are there is a saying expiration time, we need to manage the expiration time;
in fact, the problem is the session token and the game with a time-space problem, session is space for time, and the token is the time for space. Select both depends on the specific circumstances.

While it is true is "client records, carry each visit," but token easily designed to be self contained, that is, the back end does not need to record something, every time a stateless request, decryption validation every time, every the-spot draw legal / illegal conclusions. All this is determined based on, in addition to curing some logic CS beyond both ends, the whole message is self-contained. This is the real stateless. 
The sessionid, usually a random string, you need to retrieve the id to the back end of validity. In case the server restarts cause memory in the session did not it? In case redis server hang of it? 

Option A: I sent you an identity card, but only a piece of paper that read ID number. Every time you come work, I went backstage to check your id is not valid. 
Program B: I sent you an encrypted ID card, after you just present this card, I know you must be one of us. 
On such a difference.

The token may be used in reference: json web token (JWT)

Guess you like

Origin www.cnblogs.com/fatCat1/p/11304363.html