In-depth analysis and understanding of the role of session and cookie-PHP source code

We have used a lot of session and cookie in web development. Do you have any in-depth understanding about session and cookie? Today, let's take a look at an example of in-depth analysis and understanding of the role of session and cookie. We have used a lot of session and cookie in web development. Do you have any in-depth understanding about session and cookie? Today, let's take a look at an example of in-depth analysis and understanding of the role of session and cookie.

Script ec (2); script

In the history of Web development, session and cookie are both great, and their original intention is to remember users' browsing information on the website. If there are no other alternatives, session and cookie are essential to almost all web sites.

Why?

The Http protocol is stateless, and the server cannot tell who browsed the webpage. In order to maintain the user's status on the website, such as login and shopping cart, four Technologies emerged successively, namely hiding form fields, URL rewriting, cookie, and session.

Cookie

To solve the problem that the Http Protocol cannot be maintained, Lou Montulli, an employee of Wangjing communication in 1994, applied the concept of "magic cookies" to Web communication. He tried to solve the first shopping cart application on the Web. Now, shopping cart has become the pillar of shopping websites. His original instructions provide basic information about how cookies work. This document was later incorporated into RFC 2109 as a specification (implementation reference document for most browsers, it is incorporated into RFC 2965. Montulli is also granted a cookie U.S. patent. In its first version, Netscape began to support cookies. Now all Web browsers support cookies. (Cookies and sessions are described here)

What is

Cookie is a small piece of text saved by the browser on the user's computer. It is used to save the necessary information of the user on the website. The Web page or server tells the browser to store the information according to certain specifications. in all future requests, the information will be automatically added to the http request header and sent to the server, the server determines different users based on the information. In addition, cookies are secure.

How to create

The Web server creates a Cookie by sending an HTTP message header called Set-cookie. The Set-Cookie message header is a string in the following format (the part in brackets is optional ):

Set-Cookie: value [; expires = date] [; domain = domain] [; path = path] [; secure]
Value

Value, usually a string in name = value format. In fact, this format is specified in the original specification, but the browser does not verify the cookie value in this format. In fact, you can specify a string without equal signs, which will also be stored. However, the most common method is to specify the cookie value in the name = value format (most interfaces only support this format ).

The cookie sent back to the server only contains the value set by the cookie, and does not contain any other options of the cookie. In addition, the browser will not make any changes to the cookie and will send it back to the server intact. When multiple cookies exist, separate them with semicolons and spaces:

Cookie: name = value; name1 = value1; name2 = value2/pre>

Cookie expiration time

If the cookie expiration time is not set, the cookie will be destroyed after the session ends, which is called a session cookie. To set session cookie as persistent cookie, you only need to set the cookie expiration time. The value of this option is Wdy, DD-Mon-yyyy hh: MM: ss gmt Date Format value. Note that this expiration date is associated with the cookie identified by name-domain-path-secure. To change the expiration date of a cookie, you must specify the same combination.

Persistent Cookies cannot be changed to session cookies unless they are deleted and then re-created.

Domain options

The domian option sets the cookie domain. Only http requests sent to this domain can carry these cookies. Generally, domain is set as the domain name of the page on which the cookie is created.

Like Yahoo! Such large websites have many websites in the name.yahoo.com format (for example, my.yahoo.com and finance.yahoo.com ). Set the domain option of a cookie to yahoo.com to send the cookie value to all these sites. The browser compares the domain value with the requested domain name at the end (that is, starting from the end of the string) and sends the matching cookie to the server.

Path Option

The path option is similar to the domain option. Only http requests containing the specified path can carry these cookies. This comparison usually compares the value of the path option with the requested URL from the beginning to characters. If the characters match, the Cookie message header is sent, for example:

Set-cookie: namevalue; path =/blog
Therefore, all http requests that contain/blog contain cookie information.

Secure options

This option is only a tag with no value. Only when a request is created through SSL or HTTPS, the cookie containing the secure option can be sent to the server. The content of such cookies is of great value and may be tampered with if transmitted in plain text.

In fact, confidential and sensitive information should never be stored or transmitted in cookies, because the entire mechanism of cookies is inherently insecure. By default, the secure option is automatically added to cookies transmitted over HTTPS links.

HTTP-Only

HTTP-Only means that the browser cannot access the cookie through the document. cookie attribute of JavaScript. This feature is designed to provide a security measure to prevent cross-site scripting attacks (XSS) initiated by JavaScript from stealing cookies.

JavaScript operation cookie

By using the document. cookie attribute in JavaScript, you can create, maintain, and delete cookies. When creating a cookie, this attribute is equivalent to the Set-Cookie message header, while when reading a cookie, it is equivalent to the Cookie message header.

Delete cookie

Session cookies are deleted when the Session ends (closed by the browser.
Persistent cookie is deleted when the expiry date is reached.
If the number of cookies in the browser reaches the limit, the cookie will be deleted as the new cookie creation space.
Session
Session serves almost the same purpose as cookie. It is also used to solve the problem that Http cannot be maintained. However, the session is only stored on the server and will not be transmitted over the network. Therefore, the session is safer than the cookie. However, session depends on cookies. When a user accesses a website, the server generates a unique session_id for the user and sends the session_id to the client as a cookie, all future client requests will automatically carry this cookie (provided that the cookie is supported by the browser and disabled ).

The following figure shows how the session works:

How to Use session when disabling cookies

In some cases, for the sake of security, the browser will disable cookies. In this case, the session_id can be sent to the server by passing parameters, and the session can work as usual.

Delete session

After the session is closed, the session will automatically expire. If you want to manually delete the session, you can program it on the server side. PHP does this.

$ _ SESSION = array ();
Session_destory ();