On the difference and connection between cookie and session by Jsessionid

Source: Internet
Author: User
Tags session id sessions

On occasions like voting, we tend to ask everyone to vote for a fair number of reasons, and there are similar situations in web development where we usually use cookies, such as the following code:
<% Cookie[]cookies = Request.getcookies ();
if (cookies.lenght = 0 | | | cookies = NULL)
Dostufffornewbie ();
has not been visited
}

Else
{
Dostuffforreturnvisitor (); I've already visited it.
}

% >

This is very straightforward to detect the existence of cookies, if there is a description of the code has been run write cookies, however, after running the above code, whenever the results are executed dostuffforreturnvisitor (), Through the Control Panel-internet options-Settings-View the file but always do not see the generated cookie file, strange, the code is clearly no problem, but since there is a cookie, it is shown to see.
Cookie[]cookies = Request.getcookies ();
if (cookies.lenght = 0 | | | cookies = NULL)
Out.println ("has not visited this website");
}

Else
{
for (int i = 0; i < cookie.length; i++)
{
OUT.PRINTLN ("Cookie name:" + cookies[i].getname () + "cookie value:" +
Cookie[i].getvalue ());
}
}

Run Result:
Cookie Name:jsessionid Cookie Value:kwjhug6jjm65hs2k6 Why there are cookies, as we all know, HTTP is a stateless protocol, every time a client reads a Web page, the server opens a new session, And the server will not automatically maintain the client's contextual information, then how to achieve the online store in the shopping cart, the session is a mechanism to save contextual information, it is for each user, the value of the variables stored on the server side, through the sessionid to distinguish between different customers, The session is based on a cookie or URL rewrite and is implemented by default using cookies, and the system creates an output cookie called Jsessionid, called the session cookie, to distinguish persistent cookies, Which is what we usually call cookies, note that the session cookie is stored in the browser memory, not on the hard drive, which is what we just saw jsessionid, we usually do not see Jsessionid, But when we disable the browser cookie, the Web server will pass SessionID in URL rewriting, and we can see strings like sessionid=kwjhug6jjm65hs2k6 in the address bar.
Understand the principle, we can easily distinguish between the persistent cookies and the session cookie, the Internet on the security of the discussion is also at a glance, a session cookie for a conversation, Sessions end The cookie disappears, and the persistent cookie is just a piece of text (usually encrypted) that exists on the client's hard disk, and can be compromised by cookie spoofing and cross-site scripting against cookies, which is naturally less secure than the session cookie.
Usually the session cookie is not used across windows, and when you open a new browser window into the same page, the system gives you a new SessionID, so that the purpose of our information sharing is not reached, At this point we can save the SessionID in a persistent cookie and then read it in a new window to get the previous window SessionID, so that the session cookie and persistent The combination of cookies enables us to implement a cross window session tracking (conversation tracking).
In some web development books, it is often simply the way to send sessions and cookies as two parallel HTTP messages, session cookies are on the server side, and persistent cookies are located on the client, But the session is based on cookies, understand the relationship between the two and the difference, we will not be difficult to choose the right technology to develop Web service.

--------------------------------------------------------------------------------------------------------------- ------- The difference and connection between cookie and session mechanism

Specifically, the cookie mechanism uses a scheme that maintains state on the client. It is the memory mechanism of the session state at the client side, and he needs the user to open the cookie support for the clients. The role of cookies is to solve the HTTP protocol stateless defects made efforts.
The session mechanism uses a solution that maintains state between the client and the server. At the same time, we also see that the session mechanism may need to use the cookie mechanism to save the identity because the server-side retention scheme also needs to be stored in the client. and session provides a convenient way to manage global variables

The session is for each user, the value of the variable is saved on the server, with a sessionid to distinguish which user sessions variable, which is returned to the server through the user's browser, when the client disables cookies, This value may also be set to be returned to the server by get.

In terms of security: When you visit a site using session and create a cookie on your own machine, it is recommended that the session mechanism on the server side be safer. Because it does not arbitrarily read the information that the customer stores.

The Orthodox cookie distribution is implemented by extending the HTTP protocol, and the server prompts the browser to follow the instructions to generate the appropriate cookie by adding a special line of instructions to the HTTP response header

From a network server standpoint, all HTTP requests are independent of the previous request. This means that each HTTP response relies entirely on the information state management mechanism contained in the corresponding request to overcome some of the HTTP restrictions and allow the network client and server to maintain the relationship between the requests. The period during which this relationship is maintained is called a session.

Cookies are small pieces of text stored on the local machine by the server and sent to the same server with each request. The IETF RFC 2965 HTTP State Management mechanism is a generic cookie specification. The Web server sends cookies to the client using HTTP headers, and at the client terminal, the browser resolves the cookies and saves them as a local file, which automatically binds any request of the same server to the cookies

----------------------------------------------------------------------------------------------------

The difference and connection between cookie and session mechanism

Specifically, the cookie mechanism is a scheme for maintaining state on the client side, and the session mechanism uses the scheme of maintaining state at the server end. At the same time, we also see that because the server-side retention scheme also needs to be stored in the client, the session mechanism may need to use the cookie mechanism to save the identity, but in fact it has other options.

Cookie mechanism. Orthodox cookie distribution is implemented by extending the HTTP protocol, and the server prompts the browser to generate the appropriate cookie by adding a special line of instructions to the HTTP response header. However, pure client script such as JavaScript or VBScript can also generate cookies. And the use of cookies by the browser in accordance with certain principles in the background automatically sent to the server. The browser checks all stored cookies and sends the cookie to the server on the HTTP request header of the requesting resource if the cookie is declared to be more than equal to the location of the resource being requested.
The contents of the cookie mainly include: name, value, expiration time, path and domain. A path, together with a domain, forms the scope of the cookie. If you do not set an expiration time, the lifetime of this cookie is the period of the browser session, the cookie disappears when the browser window is closed. This lifetime is known as a session cookie for a browser session-time cookie. Session cookies are generally not stored on the hard disk but are kept in memory, although this behavior is not regulated by the specification. If the expiration time is set, the browser saves the cookie to the hard disk, closes it and opens the browser again, and the cookies are still valid until the expiration date is exceeded. Cookies stored on your hard disk can be shared between different browser processes, such as two IE windows. And for cookies stored in memory, different browsers have different ways of handling
Session mechanism. The session mechanism is a server-side mechanism in which the server uses a structure similar to a hash table (or perhaps a hash table) to hold the information.

When a program needs to create a session for a client's request, the server first checks to see if the client's request already contains a session ID (called a session ID.), or if it has already been previously created for this client, The server retrieves this session using the sessions ID (not retrieved, creates a new one), creates a session for this client, and generates an event ID that is associated with the session if the client request does not contain a session ID. The value of the session ID should be a string that is not duplicated and is not easy to be found, and will be returned to the client for saving in this response.
This session ID can be saved in the form of a cookie, so that the browser can automatically play the logo to the server as per the rules during the interaction. Generally this cookie's name is similar to Seeesionid. However, cookies can be artificially prohibited, and there must be other mechanisms to pass the session ID back to the server when the cookie is blocked.
One technique that is often used is called URL rewriting, which is to attach the session ID directly behind the URL path. There is also a technique called form hidden fields. The server will automatically modify the form and add a hidden field so that the session ID can be passed back to the server when the form is submitted. Like what:
<form name= "Testform" action= "/xxx" >
<input type= "hidden" name= "Jsessionid" value= "byok3vjfd75apnrf7c2hmdnv6qzcebzwowibyenlerjq99zwpbng!-145788764" >
<input type= "Text" >
</form>
In fact, this technique can be simply replaced by applying URL rewriting to the action.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.