Web development: How does a website remember me?

The "User Login" function is essential to almost every website. It is obvious that forums and social networking websites require multi-person interaction, even if you build a small Blog system, you also need to log on to the verification system. After so long mixing on the Internet, have you ever thought about how the website identifies everyone? Why won't the website recognize Michael as Michael Lee? This is because when you successfully log on to the website, you are given a "pass". Every time you open the website, you will show your "pass", and the website will naturally recognize you.

So where is this "pass?

To identify whether the customer has logged on, enter the user name and password on the client logon page and submit the user name and password to the server. The server first finds the user name record from the database, check whether the password is consistent with the entered password. If the password is consistent, the logon is successful. After a successful logon, the server must mark the client so that you do not need to log on to the client each time during the next interaction with the server. In most cases, this tag is stored in the cookie or session variable.

1. What is a cookie?

Cookies, sometimes in the form of cookies, are the data (usually encrypted) stored on the user's local terminal for some websites to identify users and track sessions ).

"Cookie is a piece of text that the Web server saves on the user's hard disk. Cookie allows a Web site to save information on a user's computer and then retrieve it. Information fragments are stored in the form of name-valuepairs ."

Baidu encyclopedia on cookie explanation: http://baike.baidu.com/view/835.htm

2. What is session?

Session: a session is called in a computer, especially in a network application ".

Simply put, it is the number that the server sends to the client. When a WWW server is running, several users may browse the website running on this server. When a user establishes a connection with the WWW server for the first time, the user creates a session with the server, and the server automatically assigns a sessionid to the server, used to identify the unique identity of this user. This sessionid is a string randomly generated by the WWW server consisting of 24 characters ......

Baidu encyclopedia on session explanation: http://baike.baidu.com/view/25258.htm

3. Differences between cookies and sessions

The biggest difference between the two is that cookies are stored on the client. Each time the client accesses the server, it submits the cookie information of the website to the server. Session variables are always stored on the server. Cookie must be supported by the client. For example, some browsers on mobile phones do not support cookies. session must be supported by the server. session is not supported in some command-line CGI programs.

4. Cookie security issues

Cookies are stored on the client. Therefore, they can be modified to increase the risk of website attacks. Common cookie attack methods include cookie spoofing.

Explanation of cookie spoofing in Baidu Encyclopedia: http://baike.baidu.com/view/567360.htm

The article "Security classroom: Cookie spoofing attack method big secrets": http://www.cwi.gov.cn/main/viewDetail.jsp? Newsid= 74707

5. Session efficiency issues

Sessions are generally stored in the server's memory or stored as a file on the hard disk. When some websites have many online users, this increases the burden on servers. To solve this problem, generally, large websites use session extensions or object cache systems to store logon information, such as memcache.

Memcache: memcache is a high-performance distributed memory object cache system. It maintains a unified and huge hash table in the memory and can be used to store data in various formats, including image, video, file, and database retrieval results.

Soso encyclopedia on memcache interpretation: http://baike.soso.com/v7938294.htm

6. What if the client does not support cookies and the server does not support sessions?

Now, in the 21st century, it is very difficult to deal with such things. If we do, we can still find a solution. This situation is often encountered in the old version of the mobile website, the solution is to add the parameters to be stored after the URL, such as: http://m.taobao.com /? V = 0 & SID = 1b665huhg567f410419. Two Parameters V = 0 and SID = 1b665huhg567f410419 are appended to the URL, so that the server can read them from the get variable, the SID parameter can be used to differentiate the "pass" of the current logon.

 

Where is the storage now? What information should this pass contain?

What should the login information contain? different websites are different. There are two basic methods: directly store logon information and store logon session IDs. There are several common methods:

1. Store the user name and password in the cookie

This method is equivalent to automatically entering the login form. Every time you access the server, You must retrieve the username and password from the cookie and verify the password in the database. Because the user name and password are directly stored in the cookie, it is easy to leak.

2. Store the login information (such as the user's permission description) in the cookie or session

This method saves you the need to query the database every time, but the information is stored in the cookie. When you perform some important operations but do not re-verify the login password, users may modify cookie information to illegally escalate permissions.

3. encrypt the user name, password, or login information and store it in the cookie.

This method is much safer than the first two methods, and its security mainly depends on the encryption algorithm itself.

4. Only one login session ID is stored.

This method is generally used in conjunction with other high-speed cache systems. For example, in memcache, the logon session ID is used as a key in memcache to access more logon information. Memcache generally runs on an independent server.

So far, you should understand how the website recognizes you?