Differences between cookie and session in the network and cookiesession

Source: Internet
Author: User

Differences between cookie and session in the network and cookiesession

I. Differences between cookie and session mechanisms

Specifically, the cookie mechanism adopts the client-side persistence scheme, while the session mechanism adopts the server-side persistence scheme.

The server-side persistence scheme also needs to save an identifier on the client. Therefore, the session mechanism may use the cookie Mechanism to save the identifier, but other methods can also be used.

Cookie content includes: name, value, expiration time, path, and domain. The path and the domain constitute the scope of the cookie. If the expiration time is not set, the life cycle of the cookie is the session time of the browser. When the browser window is closed, the cookie disappears. This cookie is called a session cookie. Session cookies are generally stored in memory instead of hard disks.

If an expiration time is set for a cookie, the browser saves the cookie to the hard disk and closes the browser before opening it. These cookies are still valid until the preset expiration time is exceeded. Cookies stored on hard disks can be shared among different browser processes, such as two IE Windows. The cookie stored in the memory has different processing methods for different browsers.

Session mechanism: the session mechanism is a server-side mechanism. The server uses a structure similar to a hash to save information. When the program needs to create a session for a client request, the server first checks whether the client request contains a session id ), if the content already exists, it indicates that the session has been previously created for this client, and the server will retrieve and use this session according to the session id (if it cannot be retrieved, a new session will be created ), if the client request does not contain the session id, the client creates a session and generates a session id associated with the session. The session id value should be unique, the session id is returned to the client for saving in this response. The cookie can be used to save the session id, which enables the browser to automatically send the id to the server according to the Rules during the interaction. Generally, the cookie name is similar to SEESIONID, but the cookie can be artificially disabled. In this case, session IDs will be passed back to the server in other ways.

URL rewriting: append the session id directly to the end of the URL path.

Form hidden field: the server automatically modifies the form and adds a hidden field so that the session id can be passed back to the server when the form is submitted.


Differences between cookie and session

1. cookie data is stored on the client, where the server can know the information, session data is stored on the server, and the client does not know the information.

2. Cookies are not safe. Others can analyze the Cookies stored locally and perform cookie spoofing.

3. The session will be stored on the server for a certain period of time. When the number of accesses increases, the server performance is relatively high.

4. data stored in a single cookie cannot exceed 4 kb. Many browsers limit that a site can store up to 20 cookies.

5. The session stores objects, while the cookie stores strings.

6. sessions cannot be differentiated. During a user's access to a website, all sessions can be accessed in any place. If path parameters are set in the cookie, the cookies in different paths of the same website cannot access each other.







What are the differences between session and cookie?

Specifically, the cookie mechanism adopts the client-side persistence scheme, while the session mechanism adopts the server-side persistence scheme. At the same time, we can also see that because the server-side persistence scheme also needs to save an identifier on the client, the session mechanism may need to use the cookie Mechanism to save the identifier, but in fact it has other options.

Cookie Mechanism. The orthodox cookie distribution is implemented by extending the HTTP protocol. The server prompts the browser to generate the corresponding cookie by adding a special line in the HTTP response header. However, pure client scripts such as JavaScript or VBScript can also generate cookies. Cookies are automatically sent to the server in the background by the browser according to certain principles. The browser checks all stored cookies. If the declared range of a cookie is greater than or equal to the location where the requested resource is located, the cookie is attached to the HTTP request header of the requested resource and sent to the server.
Cookie content mainly includes: name, value, expiration time, path and domain. The path and the domain form the scope of the cookie. If no expiration time is set, it indicates that the cookie's life cycle is the browser session period. When the browser window is closed, the cookie disappears. This cookie is called a session cookie. Session cookies are generally stored in the memory instead of on the hard disk. Of course, this behavior is not standardized. If the expiration time is set, the browser will save the cookie to the hard disk, close it, and open the browser again. These cookies are still valid until the preset expiration time is exceeded. Cookies stored on hard disks can be shared among different browser processes, such as two IE Windows. For Cookies stored in the memory, different browsers have different processing methods.
Session mechanism. The session mechanism is a server-side mechanism. The server uses a structure similar to a hash (or a hash) to save information.

When the program needs to create a session for a client request, the server first checks whether the client request contains a session id (called session id ), if it already exists, it indicates that a session has been created for this client. Then, the server retrieves and uses this session according to the session id (a new session will be created if it cannot be retrieved ), if the client request does not contain the session id, the client creates a session and generates a session id associated with the session. The session id value should be unique, the session id is returned to the client for saving in this response.
The cookie can be used to save the session id. In this way, the browser can automatically display the id to the server according to the Rules during the interaction. Generally, the cookie name is similar to SEEESIONID. However, if a cookie can be artificially disabled, there must be other mechanisms so that the session id can still be passed back to the server when the cookie is disabled.
A frequently used technology called URL rewriting is to directly append the session id to the end of the URL path. Another technique is form hidden fields. The server automatically modifies the form and adds a hidden field so that the session id can be passed back to the server when the form is submitted. For example:
<Form name = "testform" action = "/xxx">
<Input type = "hidden" name = "jsessionid" value = "ByOK3vjFD75aPnrF7 ...... remaining full text>

What are the differences between session and cookie?

Specifically, the cookie mechanism adopts the client-side persistence scheme, while the session mechanism adopts the server-side persistence scheme. At the same time, we can also see that because the server-side persistence scheme also needs to save an identifier on the client, the session mechanism may need to use the cookie Mechanism to save the identifier, but in fact it has other options.

Cookie Mechanism. The orthodox cookie distribution is implemented by extending the HTTP protocol. The server prompts the browser to generate the corresponding cookie by adding a special line in the HTTP response header. However, pure client scripts such as JavaScript or VBScript can also generate cookies. Cookies are automatically sent to the server in the background by the browser according to certain principles. The browser checks all stored cookies. If the declared range of a cookie is greater than or equal to the location where the requested resource is located, the cookie is attached to the HTTP request header of the requested resource and sent to the server.
Cookie content mainly includes: name, value, expiration time, path and domain. The path and the domain form the scope of the cookie. If no expiration time is set, it indicates that the cookie's life cycle is the browser session period. When the browser window is closed, the cookie disappears. This cookie is called a session cookie. Session cookies are generally stored in the memory instead of on the hard disk. Of course, this behavior is not standardized. If the expiration time is set, the browser will save the cookie to the hard disk, close it, and open the browser again. These cookies are still valid until the preset expiration time is exceeded. Cookies stored on hard disks can be shared among different browser processes, such as two IE Windows. For Cookies stored in the memory, different browsers have different processing methods.
Session mechanism. The session mechanism is a server-side mechanism. The server uses a structure similar to a hash (or a hash) to save information.

When the program needs to create a session for a client request, the server first checks whether the client request contains a session id (called session id ), if it already exists, it indicates that a session has been created for this client. Then, the server retrieves and uses this session according to the session id (a new session will be created if it cannot be retrieved ), if the client request does not contain the session id, the client creates a session and generates a session id associated with the session. The session id value should be unique, the session id is returned to the client for saving in this response.
The cookie can be used to save the session id. In this way, the browser can automatically display the id to the server according to the Rules during the interaction. Generally, the cookie name is similar to SEEESIONID. However, if a cookie can be artificially disabled, there must be other mechanisms so that the session id can still be passed back to the server when the cookie is disabled.
A frequently used technology called URL rewriting is to directly append the session id to the end of the URL path. Another technique is form hidden fields. The server automatically modifies the form and adds a hidden field so that the session id can be passed back to the server when the form is submitted. For example:
<Form name = "testform" action = "/xxx">
<Input type = "hidden" name = "jsessionid" value = "ByOK3vjFD75aPnrF7 ...... remaining full text>

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.