The difference and connection between a cookie and a session

Source: Internet
Author: User

A. Cookie mechanism

When you are browsing the website, the Web server will send a small piece of information on your computer, and the Cookie will help you record the text or choices you make on the site. The next time you visit the same website, the Web server will first see if it has the last cookie information, and if so, it will be based on the contents of the cookie to determine the user, send a specific page content to you. The use of cookies is widespread, and many websites that provide personalized services use cookies to identify users and to facilitate the delivery of user-specific content, such as free email sites for web interfaces.

Specifically, the cookie mechanism uses a scheme that maintains state on the client. It is the storage mechanism of session state on the client side, and he needs the user to open the cookie support of the clients. The purpose of cookies is to resolve the problem of stateless defects in the HTTP protocol.

Orthodox cookie distribution is implemented by extending the HTTP protocol, and the server prompts the browser to generate the appropriate cookie by adding a special line of instructions to the HTTP response header. However, purely client-side scripts such as JavaScript or VBScript can also generate cookies. And the use of cookies by the browser in accordance with certain principles in the background automatically sent to the server. The browser checks all stored cookies and, if a cookie declares a scope greater than or equal to the location of the resource to be requested, sends the cookie to the server on the HTTP request header of the requesting resource.

The contents of the cookie mainly include: name, value, expiration time, path and domain.

The domain and path attributes of the cookie identify which Web site The cookie is sent to the browser, and the expires attribute of the cookie identifies the effective time of the cookie, and the data is automatically deleted when the cookie is valid. If you do not set an expiration time, the cookie disappears when the browser window is closed as long as the cookie's lifetime is the browser session. This cookie, which has a lifetime of browsing session, is referred to as a session cookie. Session cookies are generally not saved on the hard disk but in memory. If the expiration time is set, the browser will save the cookie to the hard disk, turn it off and open the browser again, and these cookies remain valid until the set expiration time expires. Cookies stored on the hard disk can be shared between different browser processes, such as two IE windows. For cookies stored in memory, different browsers have different ways of handling them.

When the user logs in, the session generates a session_id on the cookie side, which is stored in the memory occupied by the browser session_id. When you close your browser, session_id will disappear.

Second, session mechanism

The session mechanism is a server-side mechanism that uses a hash-like structure (or perhaps a hash table) to hold information.

The session mechanism may need to use a cookie mechanism to achieve the purpose of preserving the identity, since the server-side hold-state scheme also needs to preserve an identity on the client. The session provides a convenient way to manage global variables. Session is for each user, the value of the variable is saved on the server, with a sessionid to distinguish which user session variable, this value is accessed by the user's browser at the time of the return to the server, When a customer disables cookies, this value may also be set to be returned to the server by get.

When a program needs to create a session for a client's request, the server first checks to see if the client's request contains a session ID (called the session ID.), and if it is included, it has previously created a session for this client. The server will follow the session ID to retrieve the session (not retrieved, a new one), if the client request does not include session ID, then create a session for this client and generate a session ID associated with this session, The value of session ID should be a string that is neither duplicated nor easy to be found, and the session ID will be returned to the client in this response to save. This session ID can be saved by using a cookie so that the browser can automatically send the tag to the server in the interactive process. Generally the name of this cookie is similar to Seeesionid. However, a cookie can be artificially banned, and there must be other mechanisms that can still pass the session ID back to the server when the cookie is banned.

A technique that is often used is called URL rewriting, which attaches the session ID directly behind the URL path. There is also a technique called form-hidden fields.

The server automatically modifies the form, adding a hidden field so that the session ID can be passed back to the server when the form is submitted.

<form name= "Testform" action= "/xxx" >

< input type= "hidden" name= "Jsessionid" value= "byok3vjfd75apnrf7c2hmdnv6qzcebzwowibyenlerjq99zwpbng!-145788764" >

< input type= "text" >

</form>

In fact, this technique can be replaced simply by applying URL rewriting to the action.

Iii. the difference between a Cookie and a session

1. The cookie data is stored on the client's browser and the session data is placed on the server.

2, the cookie is not very safe, others can be stored in the local cookie and cookie spoofing in consideration of security should use the session.

3. Session will be saved on the server for a certain period of time. When the increase in access, will be compared to the performance of your server to reduce the performance of the server, you should use cookies.

4, a single cookie can not save more than 4K of data, many browsers restrict a site to save up to 20 cookies.

5, so personal advice: the login information and other important information stored as the session other information if necessary to retain, can be placed in a cookie.

Normally, the session is the room, storing the information about the login user, the room has a key, called SessionID, how to give this key to the client, the most common is the simplest is to use cookies. After the cookie is disabled, there are other ways to give the key to the client, such as the rewrite (rewrite) URL.

The difference and connection between a cookie and a session

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.