Simple understanding of Session and Cookies _ basics

0. Introduction, why do we want cookies and session

Because the HTTP request is stateless (unable to record the user's login status, etc.), a mechanism is needed to save information such as the user's login status, and the next time you visit the Web service, you do not have to verify that you are logged on or not. The session mechanism and cookie mechanism are both server-side and browser-side solutions.

1. About cookies

1.1 What is a cookie

Cookies, original cookies. Used to store the user's state information on the browser side, and then bring this part of the information back to the back end when accessing the backend.

The contents of the cookie mainly include: name, value, expiration time, path and domain

Classification of 1.2 Cookies

A cookie that does not set an expiration time is saved in the browser's memory, the browser is closed, and the cookie is destroyed. (often used as a session)

Normal cookie set expiration time saved on hard drive

1. 3 How to apply

When initiating a request: The browser checks all stored cookies, and if a cookie declares a scope (determined by the path and domain) is greater than or equal to the location of the resource being requested, the cookie is attached to the server on the HTTP request header of the requesting resource.

When processing a request: On the server side, the cookie information in the request header is usually checked (for example, login check), and if the check is passed, the actual business process can be done.

If the checksum is not passed, for example, if no cookie is found or the cookie information is incorrect (possibly forged), the jump transfers its login, and then, after the login completes, returns the cookie information in the response, which is saved on the hard disk or in memory based on the returned cookie information for the next use. 、

2. About session

2.1 What is session

Session is used to save the user's state information on the server side.

2.2 How to use

When a browser initiates a request: The server first reads the session information in the request header. If the session information is not found or the SessionID is not locally retrieved, the new one is SessionID and stored on the server's hard drive or memcache.

The browser receives a response: The returned SessionID is also saved in local memory for the next request. One of the implementations of the session saved locally is to save the information on the cookie, but in fact the cookie is not a session save the only solution, and you can use URL overrides (attach the session ID directly behind the URL path).

The main difference between 3.cookie and Sessiond

1, save the location slightly different

Cookie data is stored on the client's browser and the server side is not saved. Session data is placed on the server, and local memory is also available.

2, security is different

Cookies are less secure than session. Because ordinary cookies are stored on a local hard drive, hackers can initiate XSS attacks, such as URLs, to obtain cookies that are stored locally on the hard drive, thereby stealing sensitive information from users.

Session is different, only when users log on to this site XSS attack to obtain session information, after the browser is closed, the session is destroyed, better security than cookies

3. Cross-domain support differences

Cookies support Cross-domain access, for example, if the domain property is set to ". Biaodianfu.com", all domain names with the suffix ". biaodianfu.com" can access the cookie. Cross-domain cookies are now widely used in networks, such as Google, Baidu, Sina, and so on. The session does not support cross domain access. The session is valid only in the domain in which he is located.

4. Different pressure on the server

Session is kept on the server side, each user will produce a session. If concurrent access to a very large number of users, will produce a lot of session, consuming a lot of memory. Thus, like Google, Baidu, Sina, such as the high number of concurrent access to the site, is unlikely to use the session to track customer conversations. Consider the use of cookies for mitigating server performance.

5. Different ways of accessing

Only ASCII strings can be stored in cookies, and requirements are encoded first if required to access Unicode characters or binary data. Java objects are not directly accessible in cookies. It's hard to use cookies to store slightly more complex information.

The session can access any type of data, including, but not limited to, string, Integer, List, map, and so on. The session can also be directly in the custody of Java beans and even any Java classes, objects, etc., is very convenient to use. The session can be viewed as a Java container class.

6.cookie the size of the saved content is limited

A single cookie cannot hold more than 4K of data, and many browsers limit a site to a maximum of 20 cookies.

The above article on the session and cookie simple understanding is small to share all the content of everyone, hope to give you a reference, but also hope that we support the cloud habitat community.