I. Session nature
The HTTP protocol is stateless, that is, you can access a Web page 100 times consecutively and access a Web page once for no difference to the server, because it cannot remember you.
In some cases, the server must remember the current user? For example, after a user logs on to his or her mailbox, he or she needs to receive and write emails. Instead of asking the user to enter the user name and password for each operation, the session solution is proposed to solve this problem, in fact, it is not a new technology, and it cannot be separated from the HTTP protocol and any existing Web technology.
The principle is very simple. If you visit a webpage like visiting a bathhouse, you don't have a key when you first go in. At this time, if you pay the money, the service desk will assign you a key, you need to take it wherever you go, because it is the only identifier of your identity. Then you can use this key to open a dedicated locker to store your clothes and swim, you use the key to open the cupboard and take out your clothes. When you finally leave the swimming pool, return the key. Your swimming process is a session or session. In this example, the key is the session key, and the locker can be understood as the medium for storing user session information.
So how to implement the session in Web server? I think you can easily understand the above example. It mainly solves two problems: one is the key problem and the other is the problem of storing user information. The first question is, what can automatically bring your requests to the server? If you know more about the HTTP protocol, the answer is clear at a glance, that is, Cookie. If you want to establish a session for the user, you can give the user a cookie when the user authorization is successful, which is called the session ID, it is of course unique. For example, PHP will set a cookie named PHPSESSID by default for the user who creates the session, and the value looks like a random string. If you find that the user carries this cookie next time, the server knows, oh, this customer has just arrived.
The rest is to solve the second problem, that is, how to store user information. When the server knows that the session ID is ABC, ABC wants to store its own private information, such as the shopping cart information, what should I do? At this time, you can use memory, files, or databases. However, you must use the user's session ID to obtain the data, for example, PHP stores the user session data with the session id abc in the/tmp/phpsess_abc file by default, and deserializes the data that the program can understand every read, during writing, the data format must be serialized to a persistent data format.
Better understanding:
Session is used to indicate a continuous connection status. In Website access, it generally refers to the process from the start to the end of the client browser process. Session is actually a website analysis access (visits) metric, indicating an access process.
Session cookie is a common implementation form of session cookie, that is, the cookie with no expiration time is set. The default life cycle of this cookie is the browser session period, as long as the browser window is closed, the cookie disappears. The implementation mechanism is that when a user initiates a request, the server checks whether the request contains the sessionid. If not, the system will create an output cookie named JSESSIONID and return it to the browser (only in memory, not in the hard disk), and write it into the server's memory in the form of hashtable; if sessionid already exists, the server checks and finds the information that matches the session. If yes, the server uses the sessionid directly. If no sessionid exists, the server generates a new session. Note that sessions are always created by the server rather than by the browser. However, after the cookie of the browser is disabled, the session needs to use the URL rewriting mechanism of the get method or the form of submitting a hidden form using the POST method.
2. How to share sessions?
First, we should understand why we need to achieve sharing. If your website is stored on a machine, this problem does not exist because session data is stored on this machine, but what if you use Server Load balancer to distribute requests to different machines? At this time, the session ID is no problem on the client, but if the user requests two times to two different machines, and the session data may exist on one of them, in this case, session data cannot be obtained, so session sharing becomes a problem.
1. various web frameworks have long considered this issue. For example, Asp.net supports modifying the session storage medium to SQL Server through the configuration file. session data of all machines is read from the same database, there will be no inconsistency issues;
2. stored on the client using cookie encryption. the advantage is to reduce the pressure on the server. The disadvantage is that it is limited by the size of the cookie and may occupy a certain amount of bandwidth, because each request will include a certain size of cookie information in the header, in addition, this method is invalid when the user disallows the use of cookies.
3. synchronize data between servers. Regularly synchronize session information of each server. This method may be delayed and the user experience is not good.
4. PHP supports storing session data to a memcache server. You can also manually change the directory where session files are stored to the NFS Network File System to achieve cross-machine file sharing.
There is also a simple method that can be used when the session information will not change frequently. When machine A sets a user session, it will post the session data to a cgi of machine B, machine B's CGI stores session data so that both machine A and machine B can copy the same session data.
Session principles and implementation sharing