Session-Cookie related knowledge

In fact, this article was summarized and summarized more than a year ago. It is relatively basic, but sometimes I forget to check it and leave a backup.
Session and cookie are the most common elements in B/S. Apart from mobile phones that only support wap1.0, some do not support cookies. Therefore, session clients are generally stored on URLs or the client disables cookies, however, cookies are generally not disabled manually. Next, let's give a brief introduction to their differences. Here we will use the configuration introduction in the. NET environment for specific configurations. Different languages share the same idea.
Next we will briefly introduce the HTTP protocol and session, and the differences between cookie introduction and simple:
HTTP protocol:
The server cannot actively connect to the client. It can only passively wait for and reply to client requests. The browser cannot record the status of the client's last request (Request Header | response header ).
Session:
Session Object principle: the server creates and maintains a session object for the client to store data. When a session object is created, the server generates a unique ID for the session object.
Server storage method: (Mode)
Off: Disabled.
Inproc: it is set to store sessions in the process. It is set by default and has the highest performance.
StateServer: stores sessionin independent State services. It is usually the aspnet_state.exe process, with a performance loss of 10-15%.
Sqlserver: sets to store sessions in SQL Server, with a performance loss of 10-20%.
Customer: the custom storage solution is determined by the implementation method.
The following describes how to configure StateServer and sqlserver.
StateServer: 1. start the Asp.net State service. (the default status of this service is manual. change to automatic and start .) 2. modify the Registry: [HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ aspnet_state \ Parameters]
Set allowremoteconnection = 1 and Port = 42424 (decimal, 42424 by default)
Port is the service port number.
Allowremoteconnection indicates whether to allow connections from other machines. 0 indicates that the connection can only be used by the local machine, and 1 indicates that the connection can be used by other machines.
For example: <sessionstate timeout = "30" cookieless = "autodetect" stateconnectionstring = "TCPIP = 127.0.0.1: 42424" mode = "StateServer"/>
You can.
Sqlserver: You can set up a session server in sqlserver mode. for ASP. NET 1.0 and 1.1, use a and 2.0, that is, use B.
A. Create a session database using an SQL File
In ASP. NET 1.0 and 1.1, you can only use this formula. For example, use the aspnet_regsql.exe tool. (Of course, this method is also applicable to version 2.0)
. NET provides the database installation script, which can be found in the Windows folder of the machine:
C: \ windows \ Microsoft. NET \ framework \ v2.0.50727 \ installsqlstate. SQL
C: \ windows \ Microsoft. NET \ framework \ v2.0.50727 \ installsqlstatetemplate. SQL
Depending on the version of ASP. NET, you need to use different SQL scripts. ASP. NET mainly has two versions: 1.1 and 2.0. You can find these two SQL statements in different version folders.
Installsqlstate. SQL is the database with the default name "[aspstate]". This SQL can be run directly.
Installsqlstatetemplate. SQL can save data using the database you specified. This SQL needs to be modified and run. Open the SQL file and replace [databasenameplaceholder] with the database name you specified.
You do not need to specify a database when executing installsqlstate. SQL, which can be executed on any database. This SQL statement creates a new database by yourself.
B. Use the aspnet_regsql.exe tool.
After ASP. NET 2.0133, The aspnet_regsql.exe tool is soft enough to easily configure the session database. This tool is located in the "system root directory \ Microsoft. NET \ framework \ version" folder on the Web server.
Example: C: \ WINDOWS \ microsoft. Net \ framework \ v2.0.50727 \ aspnet_regsql.exe-ssadd-e.
C: \ windows \ microsoft. Net \ framework \ v2.0.50727 \ aspnet_regsql.exe-S.-U sa-P liusen-ssadd-sstype P, which can be remotely Enabled
For example:
C: \ windows \ microsoft. Net \ framework \ v2.0.50727> aspnet_regsql.exe-S.-U sa-P liusen-ssadd-sstype c-d Chens (custom database)
 
-S parameters:
Indicates the database instance name. You can use "." to indicate the local machine.
-U and-P parameters:
Indicates the user name and password.
-E parameter:
You can select a group in-u-p and-E.-E indicates that the current system user logs on to the database through Windows authentication, and-u-p indicates that the SQL Server user logs on to the database.
-Ssadd/-ssremove parameters:
-Ssadd indicates that the session database is added, and-ssremove indicates that the session database is removed.
Sstype parameter: T stores session data in the SQL Server tempdb database. This is the default setting. If session data is stored in the tempdb database, session data is lost when SQL Server is restarted. P Stores session data in the aspstate database instead of the tempdb database. C. Store session data in a custom database. If the C option is specified, you must also use the-D option to include the name of the custom database.
Note: In sqlserver mode, session expiration is completed by the SQL Agent using a registration task. Make sure that the SQL Agent is running. Otherwise, the expired session data cannot be cleared, resulting in a constant increase in database data.
For HTTP request-related data, sessionid is also stored as HTTPOnly cookies on the client by default:

COOKIE:
Cookie is a short text, when user requests and pages are transmitted between web servers and browsers, most browsers support 4096-byte cookies. Most browsers only allow 20 cookies (IE6) to be stored on each site. FF, IE7 can store more than 20
1. decryption: This attribute is used to describe the data decryption algorithm. The attribute value can be auto, AES, or 3DES. When the attribute value is Auto, the decryption algorithm is determined by the default value configured by Asp.net. This value is the default value. When the attribute value is AEs, the AES algorithm is used, and AES is the default Algorithm for data decryption. When the attribute value is 3DES, The 3DES algorithm is used.
2. validation: This attribute is used to specify an algorithm for data verification. The attribute values can be AES, MD5, sha1, and tripledes. The default value is sha1.
3. decryptionkey: This attribute is used to specify the key for data encryption and decryption, or to specify the process for generating the key. If the attribute value of validation is tripledes, this attribute can be used to encrypt and decrypt Forms authentication, or to encrypt view states. This attribute value can be autogenerate or value. If the property value is autogenerate, Asp.net generates a random key and stores it in LSA. This value is the default value. If the attribute value is value, a manually assigned key must be a hexadecimal string. When des is used for encryption, the key length must be 16 bits. When 3DES is used for encryption, the key length must be 48 bits. 3DES can be used only when 128 bits are used for encryption. In addition, you can add the isolateapps modifier to the decryptionkey attribute value. This modifier allows Asp.net to generate a unique key for each application's ID. The default value of this attribute is "autogenerate, isolateapps ".
4. validationkey: This attribute is used to specify the key for data verification.
For third-party cookies such as IFRAME embedded in another domain on the page, ie may have cookies set on child pages, which cannot be obtained on the parent page. IFRAME-p3p needs to be set
Httpcontext. Current. response. addheader ("p3p", "cp = CaO PSA our ");

Differences:
1. A session can exist on the client in the form of a cookie or transmit the sessionid using a URL. If it is in the form of a cookie, It is the H

Ttponly cookie is only an ID on the client. Only the associated server can know its specific value.
2. Cookie is a small text transmitted between the client and the server. It stores the specific meaning, and the server does not need to store the corresponding value for each specific cookie.