session cookie in web development and we use a lot, then you have about the session and cookie-depth understanding of it? Today we look at an example with an in-depth analysis and understanding of the role session of the cookie.
Web development in history, session and cookie are great presence, its original purpose is to remember the user to browse information on the website, if no other alternatives, almost all web sites are inseparable from the session and cookie.
Why do we need
Http protocol is stateless, it will cause the server can not tell who is browsing the web. In order to maintain the state of the site's users, such as login, shopping cart and so on, there has been has appeared in four technologies, which are hidden form fields, URL rewriting, cookie, session.
Cookie
In order to solve the problem Http protocol can not maintain state in 1994, an employee of Netscape Communications Lou Montulli the concept of "magic cookies" applied to Web communication. He first tried to solve a shopping cart Web application, now has become a shopping cart website pillars. His original documentation provides basic information about cookie works, the document was later incorporated into the (implementation reference document for most browsers) RFC 2109 specification as eventually be included in the RFC 2965. Montulli was also awarded US Patent cookie. Netscape browser in its first version began to support cookie, now all Web browsers support cookie. (Here only cookie and session)
What is
A cookie is a small text file stored in the browser on a user's computer, to save the user the necessary information on the site. Web page server tells the browser or the information stored in accordance with certain specifications, and all subsequent requests, the information is automatically added to the http request header to the server, the server information determination according to different users. And cookie itself is safe.
How to Create
Web server by sending a Set-Cookie called HTTP message head to create a Cookie, Set-Cookie header is a string, formatted as follows (in parentheses part is optional):
Set-Cookie: value[; expires=date][; domain=domain][; path=path][; secure]
value
value, which is usually a string name = value format. In fact, this format is the format specified in the original specification, but the browser does not have a cookie value in this format to verify. In fact, you can specify a string does not contain the equal sign, it will also be stored. However, the most common use is to specify the value of the cookie according to the name = value format (most interfaces only support this format).
cookie is sent back to the server only contains the values cookie settings and does not include other options for the cookie, and the browser will not make any changes to the cookie, the server will send back intact. When there are multiple cookie, separated by a semicolon and a space:
Cookie: name=value; name1=value1; name2=value2/pre>
cookie expiration time
If you do not set the cookie expiration date, cookie will be destroyed at the end of the session, called a session cookie. If you want to set as the persistent cookie session cookie, simply set the cookie expiration time to look at the value of this option is that a Wdy, HH DD-Mon-YYYY: MM: SS GMT value date format. Note that this expiration date is correlated with name-domain-path-secure for the identity of the cookie. To change the expiration date of a cookie, you must specify the same combination.
Persistent cookie can not change the session cookie, unless you delete the cookie, and then re-create this cookie.
domain option
domian option sets the cookie domain, only hair carrying these cookie to http requests to this domain. In general domain will be set to create the page where the domain name of the cookie.
Large sites such as Yahoo!, there will be many forms of name.yahoo.com site (for example: my.yahoo.com, finance.yahoo.com, etc.). One option is set to the cookie domain yahoo.com, you can send the value of the cookie to all these sites. Value of the browser will request the domain name to make a comparison tail (i.e. from the start end of the string comparison), and the matching cookie to the server.
path option
path options and similar domain option, http request only contains the specified path in order to carry these cookie. This comparison is usually the value of the URL request path option to start from scratch by-character comparison done. If the characters match, Cookie header is sent, for example:
set-cookie:namevalue;path=/blog
It includes / blog http request will carry the cookie information.
secure options
This option is only a flag and has no value. When a request is created by SSL or HTTPS only when, cookie can contain secure option is sent to the server. This cookie has a high content of value, if passed in plain text form is likely to be tampered with.
In fact, confidential and sensitive information should never be stored or transmitted in a cookie, because the whole mechanism of the original cookie is unsafe. By default, the HTTPS link in the transmission of the cookie will be automatically added to secure option.
HTTP-Only
HTTP-Only meant to announce the browser cookie document.cookie property can not access the JavaScript. This design feature is intended to provide a security measure to help prevent JavaScript initiated by cross-site scripting attacks (XSS) steal cookie behavior.
JavaScript cookie operations
By document.cookie property in JavaScript, you can create, maintain, and delete cookie. When creating the cookie attribute is equivalent to Set-Cookie header, and when reading is equivalent to the cookie Cookie header.
Delete cookie
Session cooke (Session cookie) will be deleted when the session ends (the browser is closed).
Persistent cookie (Persistent cookie) will be deleted when the expiration date arrives.
If the number of cookie in the browser limit is reached, the cookie will be deleted to create space that the new cookie.
session
session cookie and the role almost as well as to solve the problem Http protocol can not maintain state. But the session is stored only on the server side it will not be transmitted in the network, so it is relatively cookie, session relatively safer. But the session is dependent on the cookie, when a user visits a site, the server will generate a unique session_id for this user, and this session_id sent to the client in the form of a cookie, all requests after the client will automatically carry this cookie ( provided that the browser supports and does not disable the cookie).
How to use the session cookie is disabled
Sometimes, in order to secure browser disables cookie, then you can pass parameters by way session_id sent to the server, session work as usual.
Delete session
After the session is closed, session will expire automatically, if you want to manually delete the session, can be implemented in a server-side programming. As PHP is doing
$_SESSION = array();
session_destory();