Cookie, session, sessionid, and JSESSIONID

 

Cookie, session, sessionid, and JSESSIONID. To understand the relationship between them, let's look at an interesting scenario to help you understand it.

 

We all know that the bank's receiving counters Receive customer deposits every day./WithdrawalBusiness, there are several solutions:

Based on the memory of the clerk at the counter, the clerk at the counter handles deposits for each customer./The withdrawal business depends on the employee's memory. It records the appearance of each customer, and the current deposit and access times of the customer quickly. What is the amount of each access.----------- This method indicates that the Protocol itself supports the status.

The passbook method is used, and then the clerk at the counter places the deposit of each customer/The withdrawal information is saved in this fold and handed to the customer for storage./When withdrawing money, the clerk only needs to take out the passbook and check the passbook to deposit the current customer./The withdrawal information is clear at a glance. Of course, you will immediately think, What Should customers do to modify this information? We also have measures for every deposit/Stamp the withdrawal record. Counterfeit information is not stamped. However, if the customer isThe stamp can also be forged. ------------- This method is to maintain the status on the client side.

The bank card is used to send a bank card to each bank user. The bank card has a unique card number without any other information./Withdrawal Time, Take out the bank card, the Bank enters the card number into the computer, and the current user's storage will soon be displayed/WithdrawalRecord. The security of this method will be greatly improved. The user wants to modify his/her memory only by attacking the server of the bank/Withdrawal information, which is difficult to do.---------In this way, the server maintains the status.

 

CookieAndSessionGeneration Process

 

we all know HTTP the Protocol itself is stateless, the client simply sends a request to the server to download some files. Each request sent from the client to the server is independent. For the current Web application, HTTP " stateless ", so many applications have to spend a lot of effort to record user operation steps. As described in the first case above, bank staff have to spend a lot of energy to remember the memory of every user / withdrawal history.

Programs were quickly discovered, if some dynamic information generated on demand is provided, Web the interaction capability is greatly enhanced. On the one hand, programmers can HTML Add forms, scripts, Dom Web interaction between applications and clients. CGI the specification is used to respond to dynamic requests from the client and act as the transmission carrier HTTP added file uploads and cookie . cookie the principle is the same as what we described above when using passbook to record users.

Through the previous example, we have found thatCookieStorage of information, there may be a certain degree of security, because all the information is written on the client, the customer may modify or clear the information. Then it appears againSessionThis method is used to save user behavior. The principle of this method is the same as the method described above.

SpecificallyCookieThe mechanism adopts the client-side persistence scheme, whileSessionThe mechanism adopts the server-side persistence scheme. At the same time, we also see that because the server-side persistence scheme also needs to save an identifier on the clientSessionThe mechanism may need to be usedCookieMechanism to save the identity, but in fact it has other options.

 

Cookie and session mechanisms and principles

 

Cookie Mechanism. Orthodox Cookie Distribution is through expansion HTTP The server is implemented through HTTP To prompt the browser to generate the corresponding Cookie . However, purely client scripts such Javascript Or VBScript You can also generate Cookie . While Cookie The browser automatically sends messages to the server in the background according to certain principles. The browser checks all stored Cookie If Cookie If the declared scope of action is greater than or equal to the location of the resource to be requested Cookie Attached to the requested resource HTTP The request header is sent to the server.

Cookie The content mainly includes: name, value, expiration time, path and domain. Path and domain together Cookie . If the expiration time is not set, Cookie The life cycle of is the browser session, close the browser window, Cookie It disappears. This life cycle is the browser session period Cookie Called session Cookie . Session Cookie It is generally stored in the memory instead of the hard disk. Of course, this behavior is not standardized. If the expiration time is set, the browser will Cookie Save it to the hard disk, close it, and open the browser again. Cookie Still valid until the specified expiration time is exceeded. Stored on the hard disk Cookie Can be shared between different browser processes, such as two IE Window. For Cookie Different browsers have different processing methods. .

SessionMechanism.SessionA mechanism is a server mechanism. A server uses a structure similar to a hash (or a hash) to save information. 

When the program needs to create Session The server first checks whether the client's request contains Session Identifier ------------ Called Session ID If it already exists, it indicates that the client has previously been created Session , The server will follow Session ID Put this Session Used for retrieval (a new one is created if no retrieval is found). If the client request does not contain Session ID Create Session And generate Session Associated Session ID , Session ID The value of is a character string that is neither duplicated nor easily identified as a regular character. Session ID Will be returned to the client for saving in this response.

Save thisSession IDYou can useCookieIn this way, the browser can automatically display this identifier to the server according to the Rules during the interaction process. GenerallyCookieIs similarSeeesionid. HoweverCookieIf it can be artificially disabled, there must be other mechanismsCookieWhen disabledSession IDPassed back to the server.
A frequently used technology is calledURLRewriteSession IDDirectly attachURLPath. Another technique is form hidden fields. The server automatically modifies the form and adds a hidden field so thatSession IDPassed back to the server.

 

JSESSIONID?

JSESSIONIDJustTomcatOfSessionidIs actuallySessionid; In other containers, it may not be calledJSESSIONID.

------------------- Latest update --------

Terry_huangReply:

Let me give you a more vivid example. In college, I often went to the big card division to drink milk tea, you can get a print (he will give you a credit card when you drink it for the first time). After 6 stamps are collected, you can get a cup of milk tea for free. In this way, the printed information is stored on the customer's credit card. If you are not good at it, just make a few god-like prints to lie to milk tea. Haha, is it better to maintain the status on the client side. While taking the bank card to get the money, our card only needs to save a card number, more information is saved in the server, which is also in line with the server to maintain the status. Hope to help you.

It may be that my description is not relevant enough. The deposit card is similar to the passbook. the user's access information is stored in the passbook, And the passbook is in the customer's hand (client) few people may use passbooks now, or the passbooks have been canceled by the bank.