Cookie and session

In many blog posts, we can see that HTTP is a stateless protocol,

What does this stateless mean: the server will not retain the current access status, and each browser request is isolated. The missing status means that if the previous information is needed for subsequent processing, each connection needs to transmit a large amount of duplicate content information.

Interaction is necessary in a dynamic web, so we need to save the current access status

So how can we keep this status? We will use the theme session and cookie we will talk about today.

 

What is a cookie?

The browser accesses the server. The server gives you a small clip.

It is a mechanism for session tracking. It adopts a scheme to maintain HTTP status information on the client.

Underlying implementation principle (not actually the underlying layer)

The Web Server adds a set-Cookie response header to the HTTP Response Message. the browser adds a cookie request header to the HTTP request message to send the cookie back to the server.

Cookies

The size of a cookie cannot exceed 4 kb. It must contain at least one name and value of the information.

 

Cooki APIs

1. Write cookie

1. Create a cookie object

2. Persistent cookie

Setmaxage indicates the cookie storage time (saved on the hard disk)

3. How to pass the cookie to the client

Call the response method

Response. addcookie ();

4. Cookie scope: it can be used for the current directory and the subdirectories of the current directory, but it cannot act on the upper-level directory.

 

Ii. Obtain cookie

Cookie [] cookies=request.getCookies();

 

 Iii. Differences between session cookies and persistent cookies

If the expiration time is not set, the cookie life cycle is closed only during the browser session, and the cookie disappears.

This is the session cookie, Which is saved only in the memory.

The persistent cookie mentioned above stores the cookie on the hard disk.

 

What is session?

A session starts when a browser is opened to access a website. No matter how many pages are opened and how many links are clicked, the session belongs to the same session.

Session is a scheme to maintain the HTTP status on the server.

It is a series of request and response processes between the browser and the server.

All requests in the same session have a representation, sessionid

 

The Session object stores data in a way similar to map key-value pairs. The server uses a structure similar to a hash to save information.

What will happen when a session is created? Check whether the client request contains the sessionid. If no session is created, a new session is created and a sessionid is returned to the client for saving.

The value of the session ID should be a string that is neither duplicated nor easily found to be counterfeited. The session ID will be returned to the client for saving in this response. The cookie can be used to save the session ID, so that the browser can automatically send the ID to the server according to the Rules during the interaction. Generally, the cookie name is similar to seeesionid.

However, if a cookie can be artificially disabled, there must be other mechanisms so that the session ID can still be passed back to the server when the cookie is disabled.

A frequently used technology called URL rewriting is to directly append the session ID to the end of the URL path.

Another technique is form hidden fields. The server automatically modifies the form and adds a hidden field so that the session ID can be passed back to the server when the form is submitted. For example:

<form name="testform" action="/xxx"> <input type="hidden" name="jsessionid" value="ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBng!-145788764"> <input type="text"> </form> 

 

In fact, this technology can be simply replaced by rewriting the URL of the action application.

 

So the session and cookieLinkWhat is it like?

Relationship between lockers and keys

 

How does a session work when no cookie exists?

Each access generates a new session object.

response.encodeURL（“getSession.jsp”）;

 

This method will convert the URL to sessionid and then submit it to the server.

 

Summary

1. Cookies are not very secure. They are stored locally.

Use local cookies for Cookie Spoofing

For example, csrf attacks

2. Because the session is placed on the server, if the number of access requests increases, the server performance will be slowed down.

(However, personal understanding does not need to consider that much. It is good to automatically log on to and put cookies.

 

Cookie and session