Differentiation and understanding of sessions and cookies

Source: Internet
Author: User
Tags servervariables microsoft iis

Waiting for blog

Session first

The debate on the SESSION seems to have never been stopped, but the number of people who can understand the SESSION should be more than 90. But let's talk about it. Don't be too old ~

Some people are in favor of SESSION, while others are in disapproval. But what is the problem. Let me know what I think. Do not lose anything if you have any mistakes, except for gold bars and coins.

Some people should know that I am a program, and the program is focused on efficiency. But here we will not talk about design, but we will look at the SESSION from some practical perspectives.

First, let's talk about what a SESSION is. a session can store information about the Internet Explorer of a user and any window opened through the current window. Why. Next, let's take a look at how the SESSION is started. After you open IE and browse the website, a command will be sent to request the SESSIONID and the download permission for each type of data, the film, sound, and FLASH.
Actual data transmission content: IE to the server
GET, HTTP, 1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash ,*/*
Accept-Language0: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: www.jh521.com
Connection: Keep-Alive
The server will return an unused SESSIONID for IE to use. At that time, IE will store the returned SESSIONID.

At the same time, the download data on the relevant page is returned, as follows: Server to IE
HTTP/1.1 200 OK
Server: Microsoft-Microsoft IIS/5.0
Date: Sun, 30 Nov 2003 16:41:51 GMT
Content-Length: 21174 .. Content-Type: text/html
Set-Cookie: asp sessionidcacbbbrt = IBOMFONAOJFEEBHBPIENJFFC; path =/
Cache-control: private
Then the page HTML code. At this time, the SESSIONID of this IE Program (not a client) is IBOMFONAOJFEEBHBPIENJFFC. When IE accesses any ASP program on this site, it will send IBOMFONAOJFEEBHBPIENJFFC to the server, the server will know that IBOMFONAOJFEEBHBPIENJFFC indicates you and set SESSION ("name") = "name" on the server as SESSION ("IBOMFONAOJFEEBHBPIENJFFC") ("name ") = "name"
Or
SESSION (SESSIONID) ("name") = "name"
In this way, sessions are separated from users.
When the server reports this ID, it will check whether the ID is used. If there is another
It won't let you repeat it. If you want to simulate someone's session id for spoofing, you can. However, it is possible to obtain the signal transmitted by the other party's IE and ensure that the SESSIONID is not canceled at that time.

However, if I had time, I could use the POST signal to find the NAME and PASS. I don't have to worry about it. Some people must understand how SESSIONID works. So they are looking at cookies. Some people say that SESSIONID is a COOKIE. Technically, they are not similar, however, it is a working mode in which users and servers transmit private data. when I set the COOKIE, the server will send an instruction to IE. IE generates and stores cookies through this network command, and obtains this information at a specific time, such as when accessing this site and the COOKID is valid.

So why use cookies instead of SESSION?
See the difference

Effective time and storage-based content transmission
COOKIE can be set and the plaintext information is kept locally

SESSION is not closed in IE and the server does not time out. Only SESSIONID

If you do not need to enter the user name or password for the next login to the website, you can only use cookies,

Because it can be retained for a long time (before the COOKIE record is deleted or the expiration date)

The SESSION is not allowed. It will not be retained for too long, and IE will automatically clear the SESSIONID record after it is disabled.

The new SESSIONID will be requested during the next login.

When the server wants to verify the user's status through the user's personal variables, it cannot use cookies.

If the USER permission is set to USER. During IE access, the USER's plaintext is transmitted to the server.

So what if I modify the COOKIE record directly and change the USER to ADMIN ~~

This is troublesome.

However, using cookies is the best way to store information such as user names and passwords or website color schemes.


Okay, I'm tired. I'm talking about this.
Request. ServerVariables ("HTTP_REFERER ")

I want some people to use this Request. ServerVariables ("HTTP_REFERER ")
To carry out some key restrictions, especially to deal with remote submission and illegal intrusion.
So I will remind you that the HTTP_REFERER information obtained by the server is completely transmitted to the server by IE, and can be simulated
In addition, it is not difficult. In less than half an hour, you can use VB to create an intrusion Program Against HTTP_REFERER.
(Unfortunately, I didn't do anything serious, but I did it by running a WEB game hook-up program)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.