Listen to the bucket and tell the session and cookie

First, what is the relationship between a cookie and a session?

Their relationship is simple, utilized and used by the relationship.

In other words, due to the stateless nature of the HTTP protocol, the same client two different requests are completely independent, there is no good way to do some data sharing, so the HTTP protocol introduced a cookie, at the protocol level can do some data sharing, the principle is that the client computer to open up a space , and then put the cookie data into this space (the space is separated by the domain name). At each request, all cookie data for this domain name is requested on the header (same path)

But because the data is stored on the client, it is easy to be modified, security is difficult and guaranteed. So the better way is to put the data on the server side, called the session, the problem? How does the server know that different requests come from the same client? Thus, we can use cookies, only one identity, and then on the server side through the identity to hit the corresponding session data. It's useless to change your logo.

Therefore, the session uses cookies, but cookies are not required, in case the cookie is disabled by the client, in fact we can also use GET, post. It's just complicated.

Is this cookie generated from a thin air?

How does the server end up using cookies to find the session?

So let's use Session_Start () as an example,

Step by step to unlock the veil of mystery.

When you visit a website for the first time, the server calls Session_Start ();

His approximate steps are:

1) See if there is any corresponding session_id data in the cookie. (If the Only_use_cookie is not defined, it will find the parameters in the get,post until it is found)

2) 1 does not find the words, at this time in the server will be generated by the algorithm session_id data (through the User-agent, IP, time-related parameters, to ensure uniqueness), and then through the response head to set a cookie,

3) The browser discovers that there is a definition of setcookie in the response, and the cookie is stored in the corresponding space (unrelated to the server).

4) Then the next request, the cookie will be brought in the session_id, the server through the cookie in the session_id value, to a location on the server (the default is/tmp, the file name sess_{session_id}), The session data is read out, and then populated into the $_session, so Session_Start completed.

Therefore, the session_id in the cookie is not generated from thin air, it is through the service-type. The cookie and session are equivalent to a key=>val mapping relationship

Knowing this step, you can implement your own session_start of any language.

To extend the question, consider yourselves:

1) How to strictly define the session expiration

2) How the session is GC

3) Why PHP Default file session will have a performance problem.

Strict definition SESSION expiration answer: $_session[' timestamp '] = time ();

Why PHP Default file session will have a performance problem answer: Create/Open/close/delete Files Of course there will be performance problems, and all the session files are saved in a directory, the number of session files to find a file will also have a considerable performance problem.

Listen to buckets and cookies