A, the concept Session
Session is located on the server side, similar to the Session structures to store user data, when the browser sends a request for the first time, a server automatically generates a Session and Session ID to uniquely identify the Session, and which is sent to the browser in response. When the second transmission request browser, a server will respond before the Session ID in the request sent together to the server, the server extracts the Session ID from the request, and all the Session ID and saved compared to find this user corresponding Session. Under normal circumstances, the server within a certain period of time (30 minutes by default) to save the Session, had a time limit, it will destroy this Session. Before destruction, the programmer can be some of the user data in the form of Key and Value are temporarily stored in this Session. Of course, there will be saved when using the database of the sequence of this Session, this benefit is not the time constraints, the downside is the increase over time, this database will be rapid expansion, especially the increase of traffic. General or to take the former approach to relieve pressure on the server. Two, Session client implementation form (i.e., method for storing Session ID) of the general browser provides two ways to save, there is a way to use the programmer html hidden fields custom implementation: [1] used to store Cookie this is the most common method, described in the "remember me logged in" feature to achieve a formal basis in this way. The server sends to the browser provided by way of Cookie Session ID. If we do not set the expiration time, then the Cookie will not be stored on the hard disk, the time when the browser is closed, Cookie disappeared, the Session ID is lost. After this time, if we set a number of days, then the Cookie will be stored in the client hard drive, even if the browser is closed, the value is still there, the next time you visit the site, it will also be sent to the server.
[2] way to use URL additional information, that is, as we often see JSP site will aaa.jsp? JSESSIONID = * same. In this way and a way which does not set the Cookie expiration time is the same.
[3] The third way is to add a page form inside a hidden field, in this way and the second way is actually the same, but the former transmits data via GET method, which send data using the POST method. But obviously the latter is too much trouble. the difference between the cookie and session: cookie stored in the client data, session data is stored on the server side. Simply put, when you log in to a site, if the web server using the session, then all the data is stored in the server when the above, each time the client requests the server will send sessionid current session, based on the current server sessionid judgment flag corresponding user data, to determine whether the user log in, or have some rights. Since the data is stored on the server above, so you can not fake, but if you can get a logged-on user sessionid, forged the user's request using a special browser is capable of success. sessionid is the server and the client when the links were randomly assigned, in general, there will be no repeat, but if there are a large number of concurrent requests, is not without the possibility of duplication, I have met once. Log on to a Web site, you are beginning to show their own information, such as time-out for some time, and a refreshing, actually shows the information of others.
If you are using a browser cookie, then all the data is stored in the browser, such as after you log in, set the cookie server user name (username), then, when you request to the server, the browser will be a username sent to the server, these variables have some special mark. Server will be interpreted as a cookie variable. So you do not close the browser, the cookie variable would have been effective, it is guaranteed for a long time not dropped. If you can intercept a user's cookie variable, and then forged a packet sent in the past, then the server or think you are legitimate. Therefore, the possibility of using cookie attack is relatively large. If you set a valid time, then it will be stored in the cookie on the client's hard disk, next time visit the site, the browser cookie to check if any, and if so, reads the cookie, then send it to server. If you keep on top of the machine in a forum cookie, valid for one year, if someone has broken into your machine, you will copy the cookie walk, then placed in his browser's directory, then log on to the site when he is use your login identity. So cookie can be forged. Of course, when the need to forge the idea of a direct copy cookie cookie files to the directory, the browser does not recognize, he has a index.dat files, cookie files stored in the set-up time, and whether there are changes, so you must first have the site's cookie file, and want to ensure fool the browser on time, the school has done in the above test vbb forum, copy someone else's login cookie, the name of fraudulent use of someone else's post, there is no problem.
Session is a server maintained by the application server storage space, when the user connects to the server generates a unique SessionID by the server identifier is used to access the SessionID server Session storage space. The SessionID this data is saved to the client, with the Cookie saved when the user submits the page, this SessionID will be submitted to the server to access Session data. This process is not a developer intervention. So once the client to disable Cookie, then the Session will fail.
Server may also be passed by value SessionID URL rewriting manner, thus not completely dependent on Cookie. If the client Cookie disabled, the server can be automatically saved the value of Session by way of rewriting the URL, and this process is transparent to the programmer.
You can try, even if not written Cookie, using request.getCookies (); the length of the array is taken out Cookie 1, and this name is Cookie JSESSIONID, there is a long binary string is SessionID value.
Three: Session and Cookie difference and contact:
Cookies is a part of the Session object. But there are different, Cookies do not account for server resources, customer service side is the presence of memory or a cookie text file; and "Session" will take up server resources. So, try not to use Session, the use of Cookies. However, we generally believe that cookie is not reliable, session is reliable, but there are also many famous sites since the cookie. Sometimes in order to solve the page processing after disabling cookie, usually url rewriting, call the session in a large number of useful methods placing a page from the session after data acquisition. Cookies and Session application scenarios:
Cookies safety performance has been controversial. Although Cookies are stored on the machine, but complete visibility and easy editing of local, often can cause a lot of security issues of their information. Cookies should not be used so that in the end, how in the end the use, there is a need given the bottom line. Let's look, the site of what sensitive data. Login authentication information. Generally use Session ( "Logon") = the form of true or false. The user's various private information, such as name, etc., in some cases, need to be saved in the Session content information needs to be passed between pages, such as the investigation points required several steps. Every step of the information is stored in the Session, the last update to the consolidated database. Of course there will be many, listed here some of the more typical if a person does not want to touch eccentric Session, because he believes that if the user Wan accidentally close the browser, so all previously saved data is lost. So, he was well-intentioned, decided to use these places Session, Cookies are used to store the change, it is entirely feasible, and the basic operations and use exactly the same Session. Then, the following for more than three typical examples, do an analysis it is clear that as long as an intentional illegal intruders, know what the landing site authentication information Session variables, then he can be edited in advance the Cookies, into to the Cookies directory, so that you can pass verified. Is not it terrible? Cookies are completely visible, even if the programmer sets the life cycle of Cookies (for example, only valid within a user session lifetime), it is also unsafe. Let's say someone forgot to close the browser or by a malicious user to stun the hard, that user would be a huge loss. This is the same point as above, it is easy to be an important person to steal personal information. However, there is a problem it is likely that these data too much information, so that Cookies file size dramatically. This is not the user wants to see.
Obviously, Cookies is not that a good nut cookies. However, there are Cookies, of course, has its reasons. It gives programmers more space to play programming talent. Therefore, the use Cookies to change have a bottom line. The Bottom Line In general, the following principles.
Do not save private information.
Any important data, it is best to save the data (the easiest possible use URLEncode, of course, can also be used to improve the reversible encryption, unfortunately, it is best not to use md5 encryption) via an encrypted form.
Whether to save the login information, the need for the user to choose.
Longer than 10K of data, do not use Cookies.
We do not use Cookies to delight our customers to play point game.
Fourth, the most typical application cookie is:
( a): to determine whether the user has landed website, in order to be able to log in directly to the next login. If we delete the cookie, you have to log in every time to fill in the relevant information from the new login. (B): Another important application is the design process and "shopping cart" in the class. Users may choose over a period of time with different pages of a website of a different commodity, this information can be written cookie, extract this information from the cookie when the final payment, of course, which have safety and performance issues that we need to consider the .
|
|