Interpreting the chaotic concepts of cookies and sessions

A few days ago, some basic Web concepts and professional arrearage have been discussed for a long time, and the session issue has been discussed for the longest time, there are some minor disputes regarding their different understandings of session terms and concepts. We both know what it is, but there is a way to express it clearly, and finally a settlement can be reached after a big bend, the concepts of nouns are different from each other, so I decided to give the concept of multi-Definition of the evil session to the popular science:

 

First, the http protocol was originally designed as a stateless protocol. In other words, the stateless protocol is connected once a packet is sent back. Later, the http 1.1 protocol supports persistent connections, but in essence it is still stateless. html5 websocket is designed to solve this drawback ~

 

Because http is a stateless protocol and the user status cannot be saved, the "session mechanism" is implemented to allow the server to save the user status.

 

Generally, the scripting language supports the "session mechanism", such as the PHP program Configuration:

Set php. iniSession. use_trans_sid = 1, PHP automatically transmits the session id in the URL

Set php. iniSession. use_cookies = 1, Use cookie to save the session id on the client

 

The default session validity period in PHP is 1440 seconds (24 minutes). That is to say, if the client fails to pass the session id over 24 minutes, the server will destroy the session, the underlying layer is actually a session file on the server.

 

At this point, if we understand this, we can clarify the concept of session:

Many people describe session and cookie as two things, which are extremely irresponsible.

Session and cookie are actually two things in nature, but cookies are also the carrier of session IDs. session and cookie are put together. A cookie containing session IDs should be called session cookies. Like session URLs and session cookies, they are only two different implementation methods in the "session mechanism.

 

When sending a cookie, the client can be divided into memory cookies and local cookies. the browser uses the expires field of the cookie to determine the effective time of the cookie stored locally. If the expires field is not set, the memory cookie is used, when the browser process is terminated, the process disappears. The deletion of a cookie on the client does not affect the session on the server. The session on the server is automatically destroyed after the validity period.

 

Session also has another translation term called "session", which refers to the association between multiple clients and different requests, simply put, the HTTP Protocol relies on the session mechanism to determine the status of the client. The active example is that the same account logs in two places, and someone changes the password of this account in one place, in another place, you can send Weibo posts. For web application identity authentication, you only recognize sessions and cannot know that you have changed your password.

 

Now, various web programs have implemented the "session mechanism" by themselves, such as the discuz program. I mentioned in my previous blog "discuz sessoin hijack tips" based on HASH, UID and UCKEY are used to forge a session. In fact, the difference in understanding and incorrect expression of sessoin terms are shown here:

1. The sessoin of discuz is not a traditional sessoin, but a token. It only simulates user identity authentication by referring to the "session mechanism.

2. This is not called hijack (Hijacking). It is a thorough forgery of a new token, and discuz stores the token in the database mode.

 

Finally, we will discuss the technology in the future based on the lessons learned by my brother in arrears. We should never use separate nouns to discuss general things. Because of the word of a session, it can express multiple meanings:

Session Mechanism

ServerSessionFile

Session id

Session url

Session cookie

Session

Simulate the token of the "session mechanism"

 

Ps:

According to redzl's comments, I modified this article. session and cookie are essentially two things, but the concept is actually vague. The word session contains too many meanings, so the topic of this article is just to break down the meaning of sessions.

 

From: RAyh4c Black Box