Explanation of the difference between the cookie and the session (reproduced)

Original source: http://www.cnblogs.com/shiyangxt/archive/2008/10/07/1305506.html

These are basic knowledge, but it is necessary to do a thorough understanding. Let's take a brief look.

The cookie mechanism uses a scheme that maintains state on the client, while the session mechanism uses a scheme that maintains state on the server side. We also see that the session mechanism may need to use a cookie mechanism to save the identity, but in fact it has other options because the server-side hold-state scheme also needs to preserve an identity on the client side.

Cookie mechanism. Orthodox cookie distribution is implemented by extending the HTTP protocol, and the server prompts the browser to generate the appropriate cookie by adding a special line of instructions to the HTTP response header. However, purely client-side scripts such as JavaScript or VBScript can also generate cookies. And the use of cookies

is automatically sent to the server in the background by the browser in accordance with certain principles. The browser checks all stored cookies and, if a cookie declares a scope greater than or equal to the location of the resource to be requested, sends the cookie to the server on the HTTP request header of the requesting resource. The contents of the cookie mainly include: name, value, expiration time, path and domain. The path together with the domain constitutes the scope of the cookie. If you do not set an expiration time, the cookie will be closed for the duration of the browser session. This cookie, which is the lifetime of the browser session, is referred to as a session cookie. Session cookies are generally not stored on the hard disk but are kept in memory, although this behavior is not regulated. If the expiration time is set, the browser will save the cookie to the hard disk, turn it off and open the browser again, and the cookies remain valid until the set expiration time expires. Cookies stored on the hard disk can be shared between different browser processes, such as two IE windows. For cookies stored in memory, different browsers have different ways of handling them.

Session mechanism. The session mechanism is a server-side mechanism that uses a hash-like structure (or perhaps a hash table) to hold information. When a program needs to create a session for a client's request, the server first checks to see if the client's request contains a session ID (called the session ID.), and if it is included, it has previously created a session for this client. The server will follow the session ID to retrieve the session (not retrieved, a new one), if the client request does not include session ID, then create a session for this client and generate a session ID associated with this session, The value of session ID should be a string that is neither duplicated nor easy to be found, and the session ID will be returned to the client in this response to save. This session ID can be saved by using a cookie so that the browser can automatically send the tag to the server in the interactive process. Generally the name of this cookie is similar to Seeesionid. However, a cookie can be artificially banned, and there must be other mechanisms that can still pass the session ID back to the server when the cookie is banned. A technique that is often used is called URL rewriting, which attaches the session ID directly behind the URL path. There is also a technique called form-hidden fields. Is that the server automatically modifies the form, adding a hidden field so that the session ID can be passed back to the server when the form is submitted. Like what:

<form name= "Testform" action= "/xxx" >
<input type= "hidden" name= "Jsessionid" value= "byok3vjfd75apnrf7c2hmdnv6qzcebzwowibyenlerjq99zwpbng!-145788764" >
<input type= "Text" >
</form>
In fact, this technique can be replaced simply by applying URL rewriting to the action.

The difference between a cookie and a session:

1. The cookie data is stored on the client's browser and the session data is placed on the server.

2, the cookie is not very safe, others can analyze the cookie stored in the local and cookie deception
Consider that security should use the session.

3. Session will be saved on the server for a certain period of time. When access is increased, it will be more likely to occupy your server's performance
The cookie should be used in consideration of mitigating server performance.

4, a single cookie can not save more than 4K of data, many browsers restrict a site to save up to 20 cookies.

5, so personal advice:
Storing important information such as login information as session
Additional information can be placed in a cookie if it needs to be retained

Reference: http://blog.sina.com.cn/s/blog_44e5d6d10100d4ex.html

Explanation of the difference between the cookie and the session (reproduced)