Session and cookie

Source: emotional network

Let's talk about session first.

The debate on the SESSION seems to have never been stopped, but the number of people who can understand the SESSION should be more than 90.
But let's talk about it. Don't be too old ~

Some people are in favor of SESSION, while others are in disapproval. But what is the problem. May listen to my opinion

Do not throw anything in case of errors, except for gold bars and coins.

Some people should know that I am a program, and the program is focused on efficiency, but here we will not talk about design,

From some practical perspectives.

First, let's talk about what the SESSION does. The SESSION can store the IE for a user and

Any window opened in the front window has a targeted user information storage mechanism. Why. See below

First, we will study how the SESSION is started. When IE is opened, a command will be issued to request SESSIONID

And download licenses for various types of data, such as clips, sounds, and FLASH.
Actual data transmission content: IE to the server
GET, HTTP, 1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash ,*/*
Accept-Language0: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: www.jh521.com
Connection: Keep-Alive
The server will return an unused SESSIONID for IE to use. At that time, IE will store the returned SESSIONID.

At the same time, the download data on the relevant page is returned, as follows: Server to IE
HTTP/1.1 200 OK
Server: Microsoft-Microsoft IIS/5.0
Date: Sun, 30 Nov 2003 16:41:51 GMT
Content-Length: 21174 .. Content-Type: text/html
Set-Cookie: ASPSESSIONIDCACBBBRT = IBOMFONAOJFEEBHBPIENJFFC; path =/
Cache-control: private
Then there is the HTML code of the page.

In this case, the SESSIONID of this IE Program (not a client) is IBOMFONAOJFEEBHBPIENJFFC.

When IE accesses any ASP program on this site, it will send IBOMFONAOJFEEBHBPIENJFFC

To the server, the server will know that IBOMFONAOJFEEBHBPIENJFFC indicates you
Set SESSION ("name") = "name" on the server"
It can be viewed
SESSION ("IBOMFONAOJFEEBHBPIENJFFC") ("name") = "name"
Or
SESSION (SESSIONID) ("name") = "name"
In this way, sessions are separated from users.
When the server reports this ID, it will check whether the ID is used. If there is another
It won't let you repeat it. If you want to simulate someone's session id for spoofing, you can. However, you need to obtain

The other party's IE transmission signal, and can be implemented only when the SESSIONID is not canceled at that time.

However, if I had time, I could use the POST signal to find the NAME and PASS. I don't have to pay for it.

Some may have understood how SESSIONID works.

So let's look at the COOKIE. Some people say that SESSIONID is a COOKIE. Technically, they do not belong to the same type.

However, it is a working mode in which users and servers transmit private data

When I set the COOKIE, the server will send an instruction to IE. IE uses this network command to generate a COOKIE and

Storage, this information will be obtained at a specific time, such as when accessing this site and the COOKID is valid.

So why use cookies instead of SESSION?
See the difference

Effective time and storage-based content transmission
COOKIE can be set and the plaintext information is kept locally

SESSION is not closed in IE and the server does not time out. Only SESSIONID

If you do not need to enter the user name or password for the next login to the website, you can only use cookies,

Because it can be retained for a long time (before the COOKIE record is deleted or the expiration date)

The SESSION is not allowed. It will not be retained for too long, and IE will automatically clear the SESSIONID record after it is disabled.

The new SESSIONID will be requested during the next login.

When the server wants to verify the user's status through the user's personal variables, it cannot use cookies.

If the USER permission is set to USER. During IE access, the USER's plaintext is transmitted to the server.

So what if I modify the COOKIE record directly and change the USER to ADMIN ~~

This is troublesome.

However, using cookies is the best way to store information such as user names and passwords or website color schemes.

 

Okay, I'm tired. I'm talking about this.
Request. ServerVariables ("HTTP_REFERER ")

I want some people to use this Request. ServerVariables ("HTTP_REFERER ")
To carry out some key restrictions, especially to deal with remote submission and illegal intrusion.
So I will remind you that the HTTP_REFERER information obtained by the server is completely transmitted to the server by IE, and can be simulated
In addition, it is not difficult. In less than half an hour, you can use VB to create an intrusion Program Against HTTP_REFERER.
(Unfortunately, I didn't do anything serious, but I did it by running a WEB game hook-up program)