About cookies and session

First, preface:

People who do web development basically use sessions and cookies, but just use them and don't know how the session and cookie really work, just by feeling. Web developers just use them to get the job done, so everyone's understanding will basically be the same, and I think that's why Session,cookie is often discussed.

second, the introduction of cookies:

• cookies, original cookies. Used to store the user's state information on the browser side , and then take this part of the information back to the backend when accessing the backend;

• The cookie is divided into two types:

  • A long-term cookie on the hard disk space in file mode;

  • A temporary cookie that stays in the memory of the browser.

• Cookie application:

  • When initiating a request: The browser checks all stored cookies, and if a cookie declares a scope (determined by path and domain) greater than or equal to the location of the resource to be requested, the cookie is appended to the server on the HTTP request header of the requesting resource.

  • When processing a request: On the server side, the cookie information in the request header is generally checked (for example, login check), and if the check passes, the actual business process can be done.

  • If the checksum does not pass, for example if no cookie is found or the cookie information is incorrect (possibly forged), jumps the transfer of its login, and then logs in, returns the cookie information in the response, and the browser will store it on the hard disk or in memory for the next use, based on the cookie information returned.

• the contents of the cookie mainly include: name, value, expiration time, path and domain;

• If you do not set an expiration time , the cookie will be closed for the duration of the browser session. This cookie, which is the lifetime of the browser session, is referred to as a session cookie. Session cookies are generally not stored on the hard disk but are kept in memory, although this behavior is not regulated.

• If the expiration time is set , the browser will save the cookie to the hard disk, turn it off and open the browser again, and the cookies remain valid until the set expiration time expires. Cookies stored on the hard disk can be shared between different browser processes, such as two IE windows. For cookies stored in memory, different browsers have different ways of handling them.

• When browsing the site, you will often find the site to log in, there will be a hint, ask you whether you want to remember your login status, such as this situation, log in when some of the information will be stored in a file on the client's hard disk.

• When the user logs in, the session generates a session_id on the cookie side, which is stored in the memory occupied by the browser session_id. When you close your browser, session_id will disappear.

• A cookie is a scheme that maintains state on the client, which is a storage mechanism for the client's session state. It is a small piece of text that the server stores on the local machine, or a piece of data in memory that is sent to the same server with each request. The Web server uses HTTP header information to send cookies to the client, in the client terminal, the browser parses the cookies and saves them as a local file, or local in-memory data, which automatically binds any request from the same server to these cookies, Because the server-side hold-state scheme also needs to save an identity on the client, the session mechanism uses the cookie mechanism to achieve the purpose of preserving the identity, so that the HTTP protocol stateless flaw can be resolved.

Third, Session introduction:

• Session is a server-side information management mechanism, it put these file information to file the situation in the server's hard disk space, this is the default, you can use Memcache to put this data into memory.

• When a client makes a request to the server, it asks the server side to generate a session, the server will check first, the client's cookie has no session_id, has expired.

• If there is such a session_id, the server will retrieve the server's session according to the session_id in the cookie. If there is no such session_id, the server will re-establish one.

• The following table is the header information for a single request

Host	*****************.com
User-agent	Mozilla/5.0 (X11; U; Linux i686; zh-CN; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Accept	text/css,*/*;q=0.1
Accept-language	zh-cn,zh;q=0.5
Accept-encoding	gzip,deflate
Accept-charset	UTF-8,*
Keep-alive	115
Connection	keep-alive
Referer	http://***************.com/
Cookies	BX=7f34kbl5d3m3g&b=3&s=9t; AWSUSER_ID=awsuser_id1267685109158r8091; PHPSESSID=us1o22h4iveo4uni3iksabreh4
If-modified-since	Tue, 29 Jun 2010 07:55:38 GMT

• PHPSESSID is a string of dense strings, and its generation is executed according to certain rules. The same client starts two times Session_Start words, session_id is not the same.

• The session_id of the session is placed in the cookie, if the user is forbidden to the cookie, is not the session can not be used? When a cookie is banned, the session can, of course, be used, but in other ways to obtain the SessionID, for example, can be rooted in the URL (url rewrite), or in the form of the situation submitted to the server side (<input type= "hidden" Name= "Jsessionid" value= "xxxxxxxx" >). This allows the server side to understand the state of the client.

Iv. The difference between a cookie and a session: 1, save the location slightly different

Cookie data is stored on the client's browser and is not stored on the server side. Session data is placed on the server, and local memory is also available.

2. Different security

Cookie security is inferior to session. Because ordinary cookies are stored on the local hard drive, hackers can spoof URLs and other ways to initiate an XSS attack, and obtain a cookie about the state of the local hard drive to steal sensitive information from the user.

Session is different, only when the user logs on to this site to initiate an XSS attack to get session information, after closing the browser, the session is destroyed, security is better than the cookie.

3. Differences in cross-domain support

Cookies support cross-domain access, such as setting the Domain property to ". Biaodianfu.com", and all domain names with the suffix ". biaodianfu.com" are able to access the cookie. Cross-domain cookies are now commonly used in networks such as Google, Baidu, Sina, and so on. The session does not support cross-domain access. The session is valid only within the domain where he is located.

4. differences in server pressure

Session is stored on the server side, each user will produce a session. If the number of concurrent access users is very large, it will produce a lot of sessions, consuming a lot of memory. Therefore, like Google, Baidu, Sina such a high number of concurrent visits to the site, is unlikely to use the session to track customer sessions. The cookie should be used in consideration of mitigating server performance.

5. different ways to access

Only ASCII strings can be stored in a cookie, and if the requirement is to access Unicode characters or binary data, the requirement is first encoded. There is no direct access to Java objects in cookies. To store slightly more complex information, it is difficult to use cookies. In the session, you can access any type of data, including not limited to string, Integer, List, map, and so on. Session can also be directly stored in Java beans and even any Java class, objects, etc., the use of very easy. The session can be considered a Java container class.

there is a limit to the size of 6.cookie saved content

A single cookie cannot hold more than 4K of data, and many browsers limit a maximum of 20 cookies per site.

Reference: Http://www.cnblogs.com/shibazijiang/archive/2016/06/07/5568656.html http://www.cnblogs.com/shiyangxt/ Articles/1305506.html http://blog.51yip.com/php/938.html

About cookies and session