cookie, session, token Detailed

cookie, session, token Detailed

It is a very specific thing, A data refers to the browser which can be permanently stored, is merely a data storage function of the browser implementation.
cookie generated by the server, sent to the browser, the browser cookie saved to a text file in a directory to kv form, will send a cookie to the server the next time you request the same site. Since the cookie exists on the client, the browser adds some restrictions to ensure the cookie will not be used maliciously, but will not take up too much disk space, so the number of cookie per domain is limited.

Http agreement Cookie Details

Cookie is always stored in the client, according to the storage location in the client can be divided into memory and hard drive Cookie Cookie. Memory Cookie maintained by the browser, stored in memory, disappeared after the browser is closed, its existence time is short. Cookie hard disk in the hard disk, there is an expiration time, unless the user manually clean up or to the expiration time, Cookie hard disk is not deleted, its lifespan is long-term. So, by the existence of time, can be divided into non-persistent and persistent Cookie Cookie.

cookie property

The cookie typically have attributes, comprising:

Domain: field that indicates the current cookie which belong to the following domains or subdomains.

For Set-Cookie returned by the server, if the value of the Domain is not specified, then the value which is the default Domain primary domain currently http request submitted corresponding to. Such as access to, returns a cookie, no domain name value, which is the default value of .

Path: Path represents your cookie.

Expire time / Max-age: shows the validity of the cookie. Values ​​expire, it is a time, after this time, the cookie becomes ineffective. Or specify the current cookie with max-age is the time after the failure. If a cookie returned by the server does not specify which expire time, it indicates that this cookie is only valid for the current session, that is the session cookie, session after the end of the current session, it expired. Corresponding, when closed (the browser) of the page when the cookie should be deleted browser.

secure: indicates that the cookie can only use https transport. It is generally used when the cookie containing the authentication information, requests the transmission of this cookie must https transmission.

httponly: indicates that the cookie must be used for http or https transport. This means that the browser scripts, such as javascript, this operation is not allowed to access the cookie.

Cookie sent by the server to the client

From the server, a cookie is sent to the client, the corresponding Set-Cookie. Including a cookie name corresponding to the value, and each attribute.

Set-Cookie: lu=Rg3vHJZnehYLjVg7qi3bZjzg; Expires=Tue, 15 Jan 2013 21:47:38 GMT; Path=/;; HttpOnly

Set-Cookie: made_write_conn=1295214458; Path=/;

Set-Cookie: reg_fb_gate=deleted; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/;; HttpOnly

From the client to the server sends the cookie

When transmitting from the client to the server cookie, the cookie is not transmitted to the individual attributes, but only sends the corresponding name and value.

GET /spec.html HTTP/1.1  


Cookie: name=value; name2=value2  

Accept: */*  

Amend, set a cookie

In addition, when the server sends to the client (browser), the outside via Set-Cookie, create or update the corresponding cookie, but also through the browser's built-in scripts, such as javascript, to set the corresponding cookie, correspondence is achieved js document.cookie in operation.

Cookie defects

  • cookie will be attached to each HTTP request, so potentially increasing traffic.
  • Since the cookie in the HTTP request is passed in clear text, so security is a problem. (Unless the use of HTTPS)
  • Cookie size limit is about 4KB. For complex storage requirements it is not enough.

session (session):

Literally speaking, conversation. This is similar to you and talk to a person, how do you know you talk to current and Joe Smith, not John Doe is it? There must be some other characteristics (appearance, etc.) that he is Joe Smith.

session is a similar reason, the current server you want to know who made the request to his yes. In order to make this distinction, going to a different server for each client is assigned "identity", and then sent to the server each time the client requests the time, are put on the "identity", the server knows that the request comes from who had. As for the client how to save this "identity" can have a variety of ways, for browser clients, we are using the default cookie manner.
The server uses the user's session information temporarily stored in the server, user session after leaving the site will be destroyed. This user information is stored relatively cookie is more secure, but the session has a flaw: If the web server to do load balancing, then the next operation request to another server when the session will be lost.

The Token (token):

1. The user logs check, check after the success Token returned to the client.
2. client after receiving the data stored in the client
3. Client API each visit is carrying Token to the server.
4. The server uses the filter calibration filter. The requested data is returned check is successful, it returns an error code check fails

Summarized as follows:

A server connected to the client, the server generates a session id (session ID), back to the client. General default browser client uses cookie ways to save this session id (identity). To prevent forgery client session id, verification is the key, that key data + algorithm to make a signature. The client data together as a + sign comparison token signature to the server, the server with the generic algorithm + calculated the same key signature data, and the client over the tape, it indicates that the same client has logged in, different data may be tampering, return validation failure.


Guess you like