27. Toad Notes Go language--session and data storage

This is a creation in Article, where the information may have evolved or changed.

27. Toad Notes Go language--session and data storage

A very important topic in web development is how to control the user's entire browsing process, because the HTTP protocol is stateless, so the user's every request is stateless, we do not know which connection in the entire web operation and the user, what should be done to solve this problem? The classic solution in the web is that the cookie and Session,cookie mechanism is a client-side mechanism that keeps user data on the client, while the session mechanism is a server-end mechanism that uses a hash-like structure to hold information, Each site visitor is assigned a unique identifier, SessionID, which is stored in two forms: either via URL or in the client's cookie. Of course, you can also save the session to the database, which will be more secure, But there will be a decline in efficiency.

Session and Cookie

Cookies, in short, store some historical information about a user's operation (including login information, of course) on the local computer, and when the user accesses the site again, the browser sends the local cookie content to the server via the HTTP protocol, either to complete the verification or to proceed to the previous step.

Session, in short, is to save historical information about the user's operation on the server. The server uses session ID to identify that the Session,session ID is generated by the server, ensuring randomness and uniqueness, equivalent to a random key, to avoid exposing the user's true password in a handshake or transmission. However, in this way, the client sending the request is still required to correspond to the session, so the cookie mechanism can be used to obtain the client's identity (that is, the session ID), or the ID can be submitted to the server by a GET method.

A cookie is a browser-maintained, small piece of textual information stored on the client, accompanied by user requests and pages passing between the Web server and the browser. Each time a user accesses a site, the Web application can read the information contained in the cookie. There is a cookie privacy data option in the browser settings, open it and you can see many cookies that have been visited on the website.

Cookies are time-limited and are divided into two types depending on the life cycle: Session cookies and persistent cookies, or if the expiration time is not set, the cookie will disappear from creation to browser shutdown, as long as the browser window is closed. This cookie, which has a lifetime of browsing session, is referred to as a session cookie. Session cookies are generally not saved on the hard disk but in memory.

If you set an expiration time (Setmaxage (60*60*24)), the browser will save the cookie to the hard disk, turn it off and open the browser again, these cookies remain valid until the set expiration time expires. Cookies stored on the hard disk can be shared between different browser processes, such as two IE windows. For cookies stored in memory, different browsers have different ways of handling them.

The semantics of the session in the Web development environment also has a new extension, meaning refers to a class of solutions to maintain state between the client and the server side. Sometimes the session is used to refer to the storage structure of this solution. The session mechanism is a server-side mechanism that uses a hash-like structure (or perhaps a hash table) to hold the interest.

The purpose of the session and cookie is to overcome the stateless flaw of the HTTP protocol, but the method is different. The session saves the session ID in the client by a cookie, and the user's other session messages are stored in the session object on the server side, in contrast, the cookie needs to keep all the information on the client side. Therefore, there are certain security implications for cookies, such as the decryption of a user name password stored in a local cookie, or the collection of cookies by other websites (for example: 1. Appa actively set the domain B cookie to allow domain B cookie access; 2. XSS, which gets document.cookie through JavaScript on Appa and passes to its own appb).

Go how to use session

The basic principle of the session is that the server maintains a single piece of information for each session, and the client and service side rely on a globally unique identity to access the data for the purpose of interaction. When a user accesses a web app, the server-side program creates a session as needed, which can be summarized in three steps:

• Generate globally Unique identifiers (SessionID);

• Open up data storage space. It is common to create the corresponding data structure in memory, but in this case, once the system loses power, all session data will be lost, if it is an e-commerce website, this will cause serious consequences. So in order to solve this problem, you can write the session data to the file or stored in the database, of course, this will increase the I/O overhead, but it can achieve a certain degree of session persistence, but also more conducive to the sharing session;

• Send the session's globally unique character to the client.

Session ID is used to identify every user who accesses a web app, so it must be guaranteed to be globally unique (GUID)

Prevent session Hijacking

Session hijacking is a widespread and serious security threat, and in session technology, the client and server maintain sessions through the session identifier, but this identifier can easily be sniffed and exploited by others. It is a type of man-in-the-middle attack.

Currently the Go official standard pack does not support session.