Cookie|session|cookie|session the session first.
The debate on the session seems to have never stopped, but the people who can understand the session should account for more than 90.
But tell me, don't be too old
Some people agree to use the session, some people do not agree. But the question is exactly how to say. You might as well listen to my opinion.
If there is a mistake, please do not throw things, except gold bars and coins.
Some people should know that I am a quack program, and the river is the process of doing a fancy is efficiency, but here does not talk about design, and
See the session from some more practical angles.
First of all to say what the session is, the session can be stored against a user of IE and through its
Any window opened by the front window has a targeted user information storage mechanism. Why do you say that? Look at the bottom.
First study how the session is started, when you open IE after browsing the Web site will issue an instruction request SessionID to
and download licenses for various types of data, such as pictures, sounds, and flash.
Data actual transmission content: IE to server
get/http/1.1
Accept:image/gif, Image/x-xbitmap, Image/jpeg, Image/pjpeg, Application/x-shockwave-flash, */*
Accept-language0:zh-cn
Accept-encoding:gzip, deflate
user-agent:mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host:www.jh521.com
Connection:keep-alive
The server will return an unused sessionid let ie use, then IE to return SessionID do storage
and also return the relevant page download data, as follows: server to IE
http/1.1 OK
server:microsoft-iis/5.0
Date:sun, Nov 2003 16:41:51 GMT
Content-length:21174..content-type:text/html
SET-COOKIE:ASPSESSIONIDCACBBBRT=IBOMFONAOJFEEBHBPIENJFFC; path=/
Cache-control:private
And then there's the page HTML code
At this point the IE program (not the client) of the SessionID is IBOMFONAOJFEEBHBPIENJFFC
And when IE is accessing any of this site's ASP program, it will send the IBOMFONAOJFEEBHBPIENJFFC
To the server, the server will know that IBOMFONAOJFEEBHBPIENJFFC means you
Set session ("name") = "name" on the server
Can be seen as a complete
Session ("IBOMFONAOJFEEBHBPIENJFFC") ("name") = "Name"
Or
Session (SESSIONID) ("name") = "Name"
In this way, the session on the area separate users.
And when the server feedback this ID will see if this ID is used. If there is a change in
It's not going to make you repeat, but it's OK to impersonate someone's session ID to cheat. But to get to
The other side IE transmits the signal, and it is possible to implement it if the SessionID is not canceled at that time.
But if I had the time to go straight through the post signal to him name and pass. I don't have the strength.
Presumably some people understand how SessionID works.
Then look at the cookie, some say SessionID is a cookie, technically they're not the same
But it belongs to a working mode where users and servers transmit private data
When I set up cookies, the server feeds ie with an instruction. IE generates cookies through this network instruction and
stored, at a specific time will obtain this information such as when visiting this site and cookid effective.
So why use cookies instead of a session?
Look at the difference.
Effective time and storage mode for transferring content
Cookies can set and retain the plaintext information locally
Session in IE does not shut down and the server does not timeout only SessionID
You can use cookies when you want users to enter the next login without having to type in a username or password.
Because he can keep it for quite a long time (before the cookie record is deleted or before the expiration date)
And the session can not, he will not be retained for too long, and IE after the shutdown automatically cleared the SessionID record
The next time you log in, you will request a new SessionID.
When the server wants to verify the user's state through the user's personal variables, it cannot use cookies
If you are using user permissions to set users. The user's plaintext is transmitted to the server when IE accesses it.
So if I pass a certain means, such as directly modify the cookie record, the user changes to admin it ~ ~
I'm in trouble.
But storing information such as user names and passwords or the color scheme of a Web site is best with cookies
Okay, a little tired, talking about this thing.
Request.ServerVariables ("Http_referer")
I want some people to pass this request.servervariables ("Http_referer")
To make some key restrictions, especially against remote submissions and illegal intrusion.
Then I would like to remind the server to obtain the Http_referer information is completely IE transmission to the server, you can simulate
and difficult, in less than half an hour can be used to make a VB for Http_referer intrusion program.
(Unfortunately, I originally he did not do serious things, do the web Game Hanging Machine Program)
