Interaction modes and functions between cookies and set-cookies in network requests

First, we need to think about many issues.

1. When many people access a uniform network server, how does the server differentiate different users?

A: sessionid. sessionid ensures the unique communication credential number between the browser and the server. Session is saved on the server, and sessionid is saved on clients such as the browser, the server finds the corresponding user based on the sessionid sent by the browser as a unique key value. Therefore, the uniqueness of sessionid is used to distinguish and query user information, so the role of sessionid is self-evident.

2. We often say that the session will be cleared after the browser is closed. Does the session have a lifecycle?

A: Yes. This is the server configuration. When the browser is closed, the sessionid is cleared. Therefore, if you open the browser and request the service, your logon status cannot be found. Therefore, You need to log on again. Generally, if the browser does not refresh or does not send a new request, the server will cache session data for about 20 minutes.

3. Will the cookie be cached, And the sessionid be saved in the cookie. Will the sessionid be cleared?

A: Not necessarily. This requires server cookie settings. But in general, it is best not to cache sessionid for security considerations.

4. Do I need to save the sessionid when the cookie saves the user status?

A: No. Save user_id or other tokens.

5. How are cookies sent to the server?

A: The browser encapsulates HTTP request headers. However, in general network programming, such as get/HTTP/1.1 HOST: www can be added. guancha. cnconnection: Keep-alivecache-control: Max-age = 0 accept: text/html, application/XHTML + XML, application/XML; q = 0.9, image/webp, */*; q = 0.8user-AGENT: Mozilla/5.0 (Windows NT 6.1; wow64) applewebkit/537.36 (khtml, like gecko) Chrome/37.0.2062.124 Safari/537.36accept-encoding: gzip, deflate, sdchaccept-language: En-US, en; q = 0.8 COOKIE: pgv_pvi = 9956446208; token = 1; has_js = 1; token = 1414852570,1414879794, 1414884316, 1414901793; token = 1414901793

6. Is there no sessionid in the above example?

A: Yes, no. sessionid is just a substitute name. This variable name can be changed. For example, you can use PHPSESSID in PHP and JSESSIONID in Java Web.

7. There is a sessionid before login. Do you need to reset it after login?

A: Depending on the situation, if the security requirements are high, you can generate a new sessionid. In addition, you must first destroy the previous sessionid.

8. How to send sessionid to the browser after it is generated?

A: By default, the server will mount the Response Message Set-cookie to update the sessionid only in the browser. Manual updates are not required, for example, HTTP/1.x 200 OK X-powered-: PHP/5.2.1 set-COOKIE: testcookie = something from somewhere; Path =/expires: Thu, 19 Nov 2007 18:52:00 GMT cache-control: No-store, no-cache, must-revalidate, post-check = 0, pre-check = 0 Pragma: No-Cache Content-Type: text/html // If the sessionid is generated according to question 7th, this does not need to be manually sent, but can also be manually sent.

Try do it!

Interaction modes and functions between cookies and set-cookies in network requests