I have never been very clear about cookie and session mechanisms. Are there any good materials for me to learn, I am very grateful to you for your understanding of cookie and session mechanisms. I am very grateful if I have any good information to learn.
Reply content:
Dear friends, I have never been very clear about cookie and session mechanisms. I am grateful if I have any good information to learn and learn.
In fact, you can find a lot of answers by searching for a question.
What problems does cookie and session solve? How can this problem be solved? As a matter of fact, you will naturally understand the operating mechanism of these two problems.
What problems does cookie and session solve?
It makes up for the inherent defects of the http protocol and is stateless (it is impossible to identify whether the last request and the next request come from the same user ).
How can this problem be solved?
Savekey=>value
Andkey
The cookie is used for transmission. when each client request is sentkey
To the server, the server can identify whether the request is from the same user.
The above is just a simple answer to the cookie and session mechanisms. the specific answer is to search for these two questions.
Before you understand their implementation principles, you must differentiate the roles of the two.
Cookie-a type of cached data in the browser that can be disabled by the browser (in Settings ). If the browser closes the Cookie, the Cookie will be unavailable. Currently, no Cookie is disabled.
Since cookies are from browsers,In essence, anyone can touch your Cookie.. Secure? Of course it is not safe. How can we achieve security at this time? Use Session, and there are no exceptions.
Session-as the name implies, a Session is stored on the server, which is different from the Cookie stored in the user's browser. It is based on cookies. If the Cookie is invalid, the Session cannot be used normally. Because the Session will put its Session_id in the Cookie. Each time you communicate with the website server, the program language on the server can obtain the session_id in the Cookie to read session data stored on the server.
Session_id is very important. What if I want the Sesion to be useful after the Cookie is disabled? Each request carries a kv in the header, which provides session_id... BLABLABLA... I don't think you need to learn this yet. it's just a digress.
COOKIE-the data is stored in the browser currently used by the user (for another browser, the previous COOKIE is no longer available), and the security is weak.
SESSION-data is stored on the server, which is highly secure. If you change your browser, you need to log on again. Because the cookie it relies on is also different from the browser.
Next, how do I use cookies and sessions? You can learn.
Sessions can be implemented based on cookies or get parameters, although not secure.
Let's take a look at the example of using the MySQL memory table to implement session storage. we will probably know the relationship between session and cookie.
Create table sessions (user_id int (10) unsigned not null, session text not null, md5 char (32) not null, primary key (user_id) ENGINE = memory default charset = utf8; user_id stores the user ID as the primary key. session stores the string of the user's session array after serialize or json_encode. md5 stores the MD5 value of the session field, which is used to implement the optimistic lock of Check And Set versions: -- read session SELECT session, md5 -- md5 found here is used when writing sessions, $ last_md5FROM sessions WHERE user_id = $ user_id -- write session UPDATE sessionsSET session = $ str, md5 = md5 ($ str) WHERE user_id = $ user_id AND md5 = $ last_md5 -- check MD5 to ensure that the session field has not been modified
Implement a set of custom cookie session mechanism based on the database.
This cookie must be authenticated and cannot be forged or cracked.
// Salt protecting the user password $ salt = sha1 (uniqid ($ user_id. '_'. getmypid (). '_'. mt_rand (). '_', true); // password saved by the database ($ pwd_user is the plaintext of the password entered by the user) // you can use CryptoJS on the browser first. after the MD5 () hash password is passed to the server for processing, // ensure that the server does not know the plaintext of the user's password. it is best to use https encrypted transmission to avoid theft and modification. // password saved by the database ($ pwd_user is the plaintext of the password entered by the user) $ pwd_db = sha1 ($ salt. sha1 ($ pwd_user); // The return value of password_hash contains salt. in this case, external $ salt is not required. // password_verify can reduce time-consuming strings to avoid time series attacks. // $ pwd_db = password_hash ($ pwd_user, PASSWORD_DEFAULT); // salt in the cookie // $ global_salt is the global salt defined in the configuration to protect the user's salt, once modified, all users' cookies will be invalid. $ cookie_salt = sha1 ($ global_salt.sha1 ($ salt); // The final generated cookie content $ cookie = base64_encode ($ user_id. '| '. $ cookie_salt); // If you need high security, you can use AES (MCRYPT_RIJNDAEL_256) to encrypt the entire cookie content. // $ cookie = mcrypt_aes ($ cookie, $ key); // Set the cookie. the Expiration Time is set to 604800 seconds (60*60*24*7, one week) setcookie ('sessid', $ cookie, time () + 604800, '/', '', false, true ); // decrypt the cookie // $ cookie = mdecrypt_aes ($ _ COOKIE ['sessid '], $ key ); // get the $ user_id and $ cookie_salt in the decoded Shard and query $ salt based on $ user_id to spell $ cookie_salt and compare it with $ cookie_salt in the cookie, if they are consistent, they pass cookie authentication. $ cookie = explode ('|', base64_decode ($ _ COOKIE ['sessid ']); list ($ user_id, $ cookie_salt) = $ cookie;