Table of contents
1. What is a cookie?
Cookies are plain text files stored on the client . Such as txt files. The so-called client is our own local computer. When we use our own computer to access the webpage through the browser, the server will generate a certificate and return it to my browser and write it to our local computer.
Cookies are usually used to save some information. The main function of cookies is that when you visit certain web pages and modify some settings of the web pages, cookies can track and record these modifications. When you visit this web page next time , this web page will analyze the cookies on your computer and take measures to return you a more personalized web page
2. What is Session?
A special object created by the server to store user state. Realize user state management on the basis of connectionless (HTTP) protocol. When the user jumps between the application's Web pages, the variables stored in the Session object will not be lost, but will always exist throughout the user's session. When a user requests a web page from an application, the web server automatically creates a Session object if the user does not already have a session
3. The difference between Cookie and Session
Cookie
- Cookies are saved on the client side
- Every browser has cookies, but cookies are not accessible across browsers
- Cookie data is exposed to the browser, so it is not so safe
- You can set the secure attribute of the cookie to true, so that the browser will only transmit such cookies in secure protocols such as HTTPS and SSL
- There is a limit to the size of cookie storage data, generally up to 4k
- Cookies disappear when the browser is closed
Session
- The session is saved on the server. When the browser accesses the server for the first time, the server creates a session object (the
object has a unique id, generally called sessionId), and the server sends the sessionId
to the browser in the form of a cookie. When the browser accesses the server again, it will send the sessionId, and the server
can find the corresponding session object according to the sessionId. - It can be seen from the above that Session security is higher
- Since the session is stored on the server side, the size is unlimited
- Session is controlled by the server. When the user closes the browser, the session will not disappear
4. Why are cookies insecure?
For example:
when a user logs in to a website on the browser, the browser will store the cookie of the website, which contains information such as the user's login account and password, and send it to the server. The server will verify the login by receiving the information transmitted by the cookie. Then return data or information to the client, and then log in successfully.
At this time, the user's account password is already stored in the cookie, which can be seen through the console. If someone wants to do bad things and get the user's account password, then he can use some code to get the existing cookies, and then go to another browser to store these cookies, and this browser recognizes the existing account in the cookie information, you only need to refresh it, and the account will be logged in.
But this problem must also be considered by someone:
if the cookie is marked with HttpOnly, then the cookie can only be accessed through http, but there is still a problem that the server does not set this
