A. Understand HTTP "stateless" means
We know, HTTP is a stateless protocol, the client and server to establish a connection and transfer data, the data transfer is complete, the connection will be closed.
For chestnuts, if access to Taobao in the absence of state case, the following scenarios:
1) Open Taobao url, enter your user name and password in this step;
2) as in the Home Select a product, click on the go, you are prompted to log in again. Because HTTP is stateless, although in step 1 has been entered in the user name and password, but our clients do not remember the last step enter the user name and password, and the server does not remember the state logged;
After the above example, we can "stateless" is understood as: does not set the buffer region of this session, data are recorded to the client and the server in the generated temporary session .
Understand the meaning of the stateless HTTP, and then look at the concept cookie, session and the token.
The concept of two .cookie
Cookie is a client a mechanism for saving user information, merely a data storage function of the browser implementation.
Cookie generated by the server, sent to the client, the client is saved in the cookie kv form to a text file in a directory, the cookie will be sent to the server the next time you request the same site. Since the cookie exists on the client, the browser adds some restrictions to ensure the cookie will not be used maliciously, but will not take up too much disk space, so the number of cookie per domain is limited.
Three, session
Session at the server a stored data structure that tracks the status of the user, this data may be stored in a cluster, database, file:
1) The client requests the server for the first time;
2) an open space in the server memory, and returns the Session ID;
3) Because the server requires the user status records, so in response to the information contained in a response header SetCookie, require client Seesion ID recorded in the Cookie;
4) client according to the response headers SetCookie the sessionID is stored in the Cookie;
5) requests the server again, the client carries Cookie request header in the request information;
6) the server user identity, status than testing head according to the request carried in the client.
Four, token
token is a token in the client, typically for identity verification.
It is worth mentioning that period will be added when the token is generated in the above step ②, and in step ⑥ parsing token, will be to judge whether the token expires.
Step ④ storage token, may be stored in a cookie, or redis.
Step ⑤ carrying token, may be carried in the url, or header http request may be carried in the post.
The difference between five, session and token of
1) token for authentication and all session, session is a session, token is a token;
2) security authentication token is higher than the session, because each request signature also prevents eavesdropping and replay attacks, and the session must rely on to protect communications link layer security.
3) session and token are needed to manage the expiration time.
HTTP "stateless" explanation: https://www.cnblogs.com/bellkosmos/p/5237146.html
cookie, session, token concept: https://blog.csdn.net/lcgoing/article/details/86754955
https://www.zhihu.com/question/19786827/answer/28752144