) Session and cookie

1. The session is saved on the server, and the client does not know the information. The cookie is saved on the client, and the server can know the information.

2. objects are saved in the session, and strings are saved in the cookie.

3. sessions cannot be differentiated. During a user's access to a website, all sessions can be accessed in any place. If path parameters are set in the cookie, the cookies in different paths of the same website cannot access each other.

4. The session must use cookies to work normally. If the client completely disables cookies, the session will become invalid.

HTTP is a stateless protocol. Each time a customer reads a web page, the server opens a new session, and the server does not automatically maintain the context information of the customer, so how can we implement the shopping cart in the online store? session is a mechanism for storing context information. It targets every user and stores the variable values on the server, session IDs are used to differentiate different customers. sessions are implemented based on cookies or URL rewriting. By default, the system creates an output cookie named JSESSIONID, which is called session cookie, in order to distinguish persistent cookies, that is, the cookie we usually call. Note that session cookies are stored in the browser memory and are not written to the hard disk. This is the JSESSIONID we just saw, we usually cannot see JSESSIONID, but when we disable the cookie of the browser, the web server will use URL rewriting to pass the sessionid. You can see strings such as sessionid = kwjhug6jjm65hs2k6 in the address bar.
After understanding the principles, we can easily distinguish the differences between persistent cookies and session cookies. The discussions on the security of the two on the Internet are clear. session cookies are for a session, session Cookie disappears, while the persistent cookie is only a piece of text (usually encrypted) stored on the client's hard disk ), in addition, Cookie spoofing and cross-site scripting attacks against cookies are not as secure as session cookies.
Generally, session cookies cannot be used across windows. When you open a new browser window to enter the same page, the system will give you a new sessionid, in this way, we cannot achieve the purpose of information sharing. At this time, we can first save the sessionid in the persistent cookie, and then read it out in the new window to get the sessionid of the previous window, in this way, session cookie and persistent cookie are combined to achieve cross-window session tracking ).
In some web development books, session and cookie are usually used as two parallel HTTP transmission methods. session cookies are on the server side, and persistent cookies are on the client side, however, session is based on cookies. It is not difficult to select the appropriate technology to develop Web services by understanding the relationship and difference between the two.