Introduction to the cookie and session in HTTP

First introduce the next B/s system work of the complete process. First the client's browser makes a request, and the server's webserver receives the request, the page that invokes the request is processed, and then the browser that sends the result to the client is displayed. Only the browser sends a request to webserver, Webserver responds to the request, and Webserver does not actively send information to the client. Because it doesn't know which information to send to WHO. The service is likened to a reserved little girl, and you ask her what she wants to answer. The interaction between the browser and the webserver is temporary, and the connection ends when the response process is complete. In other words, Webserver does not pay any attention to which browser sent the request, as long as the request is reasonable and meet the requirements, it is necessary to respond to it.

This is explained in the paragraph above because HTTP is a stateless protocol that cannot save state information for the browser. It is therefore necessary to remember that the page executes only when the browser sends the request, and that the execution of the request to the same page for different clients is non-intrusive and completely unrelated. Requests for different pages issued by the same browser are also performed independently. Because webserver doesn't know the request from the same browser, the information between the different pages cannot be shared.

This stateless situation of HTTP poses a lot of trouble to the development system, as most systems use the user mechanism. In order to solve this situation, there is a cookie and session technology.

Let's use a few examples to describe the difference and connection between a cookie and a session mechanism. I used to go to a coffee shop to drink 5 cups of coffee free of charge for a cup of coffee, but a one-time consumption of 5 cups of coffee is very little, then need some way to record a customer's consumption quantity. Imagine the fact that there are several options below:
1, the shop clerk is very strong, can remember each customer's consumption quantity, as long as the customer walked into the coffee shop, the clerk knew how to treat. This approach is the protocol itself that supports the state.
2, issued to customers a card, the above record the amount of consumption, there is generally a valid period. If the customer presents this card each time it is consumed, the consumption will be linked to the previous or subsequent consumption. This practice is to keep the state on the client.
3, issued to the customer a membership card, in addition to the card number of what information is not recorded, each time the consumer, if the customer presented the card, the shop clerk in the store records found this card number corresponding record add some consumer information. This is done by keeping the state on the server side.
Since the HTTP protocol is stateless and does not want to be stateful due to various considerations, the next two scenarios become a realistic choice. In particular, the cookie mechanism uses a scheme that maintains state on the client, while the session mechanism uses a scenario that maintains state on the server side. We also see that the session mechanism may need to use a cookie mechanism to save the identity, but in fact it has other options because the server-side hold-state scheme also needs to preserve an identity on the client side.

I. Introduction of Cookies

A cookie is a technique used to store data on a client's hard disk, a mechanism by which data is stored on a remote browser and used to track and identify users. When the browser sends a request to webserver, the information stored in the cookie is first sent. So webserver is able to judge the status of the requestor based on the data.

Although the cookie has brought us a lot of conveniences, there are some drawbacks to it:

First, the cookie is stored on the client hard disk, and the client sends a cookie every time the request is sent. If the amount of cookie data is large, plus each time to send, this will increase the amount of data transmitted over the network, increase the response time of the page, thereby reducing the efficiency of the server, so the session technology is a good solution to this problem;

Second, the security is not high. Cookies are stored as text in the local hard drive, and the data stored in them is easily cracked. For example, the user name and password are stored in the cookie, any one who can use the client computer will easily enter the system;

Third, some users will disable the browser's cookie function for security reasons. It happens that the system relies on a cookie mechanism that will not be available to the population.

The imperfect caching mechanism of IE browser.

Second, Session Introduction

The two major drawbacks of cookies are that the transmission of cookies consumes network resources and is easy to be cracked locally. And the session can make up for both. The session is saved on the server side, so it's more secure and faster. Combine the session with the cookie. Cookies are used only to identify the user, and the session is used to save the data, so that a more efficient system can be written.

How the session works in PHP:

(1) When a session is first enabled, a unique identifier is stored in a local cookie.

(2) First, using the Session_Start () function, PHP loads the stored session variables from the session repository.

(3) When executing a PHP script, register the session variable by using the Session_register () function.

(4) When the PHP script executes, the non-destroyed session variable is automatically saved in the session library under the local path, which can be specified by the Session.save_path in the php.ini file and can be loaded the next time the page is browsed.

Disadvantages of the session:

First, the data access efficiency is not high. The session stores data as a text file on the server side. In contrast, accessing data from within is definitely faster than taking data from the hard drive.

Second, it is not possible to traverse the currently valid session. You will not be able to traverse all current client information connected to the server, and you will not be able to know the statistics of all current users, such as the number of people online currently.

Introduction to the cookie and session in HTTP