The difference between commonplace session,cookie, security

One, why Session,cookie is often mentioned

People who do web development basically use sessions and cookies, but just use them and don't know how the session and cookie really work, just by feeling. Web developers just use them to get the job done, so everyone's understanding will basically be the same, and I think that's why Session,cookie is often discussed. This article is also based on personal experience, as well as individual learning, some of the views of Session,cookie, purely personal opinion, hope to get everyone's corrections and suggestions.

Two, what cookie?

Cookies are divided into two types

1. Long-term cookie on hard disk space in file mode

2, a temporary cookie that stays in the memory of the browser

When browsing the site, you will often find the site to log in, there will be a hint, ask you whether you want to remember your login status, such as this situation, log in when some of the information will be stored in a file on the client's hard disk.

When the user logs in, the session generates a session_id on the cookie side, which is stored in the memory occupied by the browser session_id. When you close your browser, session_id will disappear.

A cookie is a scheme that maintains state on the client, which is a storage mechanism for the client's session state. It is a small piece of text that the server stores on the local machine, or a piece of data in memory that is sent to the same server with each request. The IETF RFC 2965 HTTP State Management mechanism is a generic cookie specification. The Web server uses HTTP header information to send cookies to the client, in the client terminal, the browser parses the cookies and saves them as a local file, or local in-memory data, which automatically binds any request from the same server to these cookies, Because the server-side hold-state scheme also needs to save an identity on the client, the session mechanism uses the cookie mechanism to achieve the purpose of preserving the identity, so that the HTTP protocol stateless flaw can be resolved.

Three, what is the session

Session is a server-side information management mechanism, it put these file information to file the situation in the server's hard disk space, this is the default, you can use Memcache to put this data into memory. Please refer to the Web cluster using Memcache to synchronize session

When a client makes a request to the server, it asks the server side to generate a session, the server will check first, the client's cookie has no session_id, has expired. If there is such a session_id, the server will retrieve the server's session according to the session_id in the cookie. If there is no such session_id, the server will re-establish one. PHPSESSID is a string of dense strings, and its generation is executed according to certain rules. The same client starts two times Session_Start words, session_id is not the same.

Host	. com
User-agent	mozilla/5.0 (X11; U Linux i686; ZH-CN; rv:1.9.2.6) gecko/20100625 firefox/3.6.6
Accept	text/css,*/*;q=0.1
Accept-language	zh-cn,zh;q=0.5
Accept-encoding	Gzip,deflate
Accept-charset	utf-8,*
Keep-alive	115
Connection	Keep-alive
Referer	http://***************.com/
Cookies	bx=7f34kbl5d3m3g&b=3&s=9t; awsuser_id=awsuser_id1267685109158r8091; Phpsessid=us1o22h4iveo4uni3iksab Reh4
If-modified-since	Tue, June 07:55:38 GMT

Above is the header information for a request.

The session_id of the session is placed in the cookie, if the user is forbidden to the cookie, is not the session can not be used? When a cookie is banned, the session can, of course, be used, but other ways to get the SessionID, for example, can be rooted behind the URL, or submitted to the server by the form's situation. This allows the server side to understand the state of the client.

Four, session and Cookie who is more secure

Personally, I think the session is a little safer, and I have a few points of view.

1, if the session and the cookie is as safe, the two will not and to exist at the same time, as long as the cookie is good, let the client to the burden of the server, and for the user is transparent. Why not.

2,session's SessionID is placed in a cookie, to break the session, the first to break the cookie. After breaking the cookie, you want to get Sessionid,sessionid is to have someone login, or start Session_Start to have, you don't know when someone will log in. Second, the SessionID is encrypted, the second time Session_Start, the previous sessionid is no use, the session expires SessionID will also expire, want to in a short time the internal strength of a dense sessionid difficult. Session is for the purpose of a communication, the end of sessions will disappear, and the real cookie exists on the client hard disk of a text file, who security is obvious.

3, if the session is so easily broken, so unsafe, I think most of the existing sites are not safe.

1. Scope Control Object

(1) function

Represents the existence scope of an object

(2) Classification

A: Current JSP file (the class file generated by the current JSP compilation)

The page default

Exception: Contains the object declared in the contained file when the instruction implementation contains an effect.

B: Two JSP files with an explicit request-pass relationship

Request: Object storage implemented using attributes (one-key-one-value) .

The object information stored in the Request property is automatically purged after the requested file execution is completed .

Use the scene: when the page forwards The effect, the value is passed.

C: How client information is stored

The first kind: the User ( client ) Information storage way: The user information All by the client implementation storage and management.

The second type: server-side information storage. Information is stored uniformly on the server.

Technical implementation:

Client Storage method: Cookie

Server-side Information Store: Session application

2. Cookies

(1) Understanding

"Cookie." A temporary text file stored in the client machine browser Temp directory that implements the user's basic information store.

(2) characteristics

A: is a text file

B: It's a temporary text file.

C: The file size generally does not exceed 1K

D: Stored in a temporary directory in the browser

E: By default, cookies are not compatible with the browser and are shared with the Web application .

F:cookie stores the user's basic information in the form of a name and value .

G: The scope of storing information is: multiple pages accessed by a browser

H:cookie will disclose the privacy of your users

I:cookie is disabled by the client

(3) Application

A: Create A Cookie

Cookie Cookie=new Cookie ("name", "value");

A cookie can store only one value, and a cookie file may store multiple cookies

B: Specify the effective period of the cookie

Clear the existence time of the cookie file.

Classification of Cookies: session-level Ccokie and persistent cookies.

Session-Level Cookies:cookies exist in the cache only during the current user access process. once the user exits, the cookie is automatically cleared. Program: does not specify the time to save the cookie.

Persistent Cookie: A cookie is created in the client machine when the time of the existence of the cookie is clear. once created , it is considered to be permanent.

cookie.setmaxage (int)---> seconds

C: Output Cookie

Creating text on the client

Response.addcookie (Cookie)

D: Obtaining cookies from the client

request.getcookies ()----> array . A collection of all the cookies in the client's current browser.

How to view these cookie information that the server has delivered to our computer:

tools option, click on the internet options :
      and  session "title=" SU Teacher explained: Scope control object, cookie  and  session;
     Cookie name, source, file format (text file), file size (within 1K) and  Session "title=" su Teacher: Scope control object, cookie  and  session "
    cookie validity
and  Session" title = "SU teacher Explanation: Scope control object, cookie  and  Session";

Double-click on a cookie file and we can see the information divided by *:
and session "title=" SU Teacher explained: Scope Control object, Cookie and session ">

(4) Set of application scenarios

cookie version of the counter : Welcome ... Coming, this is your first? Visit this site.

Record the customer's simple preference information: Amazon

4, the client information tracking method

How to identify customer information:

(1) Use of cookies

(2) Using URL rewriting

(3) Hidden fields

(4) session

5. Session

(1) Understanding

session . The interaction of a client with a set of information on the server side.

(2) function

In the server cache , the space allocated for storing individual user information.

(3) Features

The information stored in the a:session is stored on the server's cache.

B: Each user, whenever a web app is visited (typical login), the server will immediately allocate a separate cache space for this user.

C: each session. The system automatically generates a unique tagged sessionid for the difference . This ID is called Jsessionid, SessionID, and is stored as a session-level cookie on the client cache. Used to differentiate each user.

D:session can store any object information (typical shopping cart)

The e:session has an active period and executes the session timeout mechanism. The default time in Tomcat is 30 minutes. The default is 20 minutes in IIS.

The information in F:session is shared among a user on a different page in a browser ( note the difference: A cookie can be shared across all pages in the same browser).

The difference between commonplace session,cookie, security