Cookie and session

Explanation of the difference between a cookie and a session

These are basic knowledge, but it is necessary to do a thorough understanding. Let's take a brief look.

The definition of both:

When you are browsing the website, the Web server will send a small piece of information on your computer, and the Cookie will help you to make the text or some choices on the website.

are recorded. The next time you visit the same website, the Web server will first see if it has the last cookie information, and if so, it will be based on the cookie

Content to determine the user, send out specific Web content to you. The use of cookies is widespread, and many websites that provide personalized services are using cookies

To identify users, to facilitate the delivery of user-tailored content, such as the Web interface of the free email site, all use cookies.

In particular, the cookie mechanism uses a scheme that maintains state on the client, while the session mechanism uses a scenario that maintains state on the server side.

At the same time, we also see that the session mechanism may need to use a cookie mechanism because the server-side-hold scenario requires the client to save an identity.

To achieve the purpose of saving the identity, but in fact it has other options.

Cookie mechanism. Orthodox cookie distribution is implemented by extending the HTTP protocol, which prompts the server by adding a line of special instructions to the HTTP response header

The browser generates the appropriate cookie as instructed. However, purely client-side scripts such as JavaScript or VBScript can also generate cookies. And the use of cookies

is automatically sent to the server in the background by the browser in accordance with certain principles. The browser checks all stored cookies if a cookie declares a scope

is greater than or equal to the location of the resource being requested, the cookie is appended to the server on the HTTP request header of the requesting resource.

The contents of the cookie mainly include: name, value, expiration time, path and domain. The path together with the domain constitutes the scope of the cookie. If you do not set an expiration time, this indicates that the

The lifetime of a cookie is a browser session, and the cookie disappears when you close the browser window. This cookie, which is the lifetime of the browser session, is referred to as a session cookie.

Session cookies are generally not stored on the hard disk but are kept in memory, although this behavior is not regulated. If the expiration time is set, the browser will place the cookie

Save to the hard disk, turn off the browser again, and these cookies remain valid until the set expiration time is exceeded. Cookies stored on the hard disk can be used in different

Browser process, such as two IE windows. For cookies stored in memory, different browsers have different ways of handling them.

Session mechanism. The session mechanism is a server-side mechanism that uses a hash-like structure (or perhaps a hash table) to hold information.

When a program needs to create a session for a client's request, the server first checks to see if a session ID is included in the client's request.

(referred to as session ID), if it is already included, it indicates that the session was previously created for this client, and the server retrieves the session according to the session ID.

If the client request does not contain a session ID, a session is created for the client and a corresponding session is generated

The value of the associated session Id,session ID should be a string that is neither duplicated nor easy to be found to mimic the pattern, and the session ID will be in this response

Back to the client to save. This session ID can be saved by using a cookie so that the browser can automatically send the tag to the

Server. Generally the name of this cookie is similar to Seeesionid. However, a cookie can be artificially banned, and there must be other mechanisms in order for the cookie to be banned

The session ID can still be passed back to the server.

A technique that is often used is called URL rewriting, which attaches the session ID directly behind the URL path. There is also a technique called form-hidden fields. is the server

The form is automatically modified to add a hidden field so that the session ID can be passed back to the server when the form is submitted. Like what:
<form name= "Testform" action= "/xxx" >
<input type= "hidden" name= "Jsessionid" value= "byok3vjfd75apnrf7c2hmdnv6qzcebzwowibyenlerjq99zwpbng!-145788764" >
<input type= "Text" >
</form>
In fact, this technique can be replaced simply by applying URL rewriting to the action.

The difference between a cookie and a session:

1. The cookie data is stored on the client's browser and the session data is placed on the server.

2, the cookie is not very safe, others can analyze the cookie stored in the local and cookie deception
Consider that security should use the session.

3. Session will be saved on the server for a certain period of time. When access is increased, it will be more likely to occupy your server's performance
The cookie should be used in consideration of mitigating server performance.

4, a single cookie can not save more than 4K of data, many browsers restrict a site to save up to 20 cookies.

5, so personal advice:
Storing important information such as login information as session
Additional information can be placed in a cookie if it needs to be retained

Turn from Shi Yang ' s Think out

Cookie and session