The difference between a cookie and a session

First, the definition

Cookies:

A cookie is an identifying information that allows the Web server to identify the current user, and when the user first accesses the Web site, the Web server knows nothing about yoghurt and the server expects the user to be able to recognize the user when he returns. The main contents include: Name, value, expiration time, path and domain. The path together with the domain constitutes the scope of the cookie. If you do not set an expiration time, the cookie will be closed for the duration of the browser session. This cookie for the lifetime of the browser session is referred to as a session cookie (temporary cookie). Session cookies are generally not stored on the hard disk but are kept in memory, although this behavior is not regulated. If the expiration time is set, the browser will save the cookie to the hard disk, turn it off and open the browser again until the Expiration time expires (persistent cookie). Cookies stored on the hard disk can be shared between different browser processes, such as two IE windows. For cookies stored in memory, different browsers have different ways of handling them.

Session

The session mechanism is a server-side mechanism that uses a hash-like structure (or perhaps a hash table) to hold information. When a program needs to create a session for a client's request, the server first checks to see if the client's request contains a session ID (called the session ID.), and if it is included, it has previously created a session for this client. The server will follow the session ID to retrieve the session (not retrieved, a new one), if the client request does not include session ID, then create a session for this client and generate a session ID associated with this session, The value of session ID should be a string that is neither duplicated nor easy to be found, and the session ID will be returned to the client in this response to save. This session ID can be saved by using a cookie so that the browser can automatically send the tag to the server in the interactive process. Generally the name of this cookie is similar to Seeesionid. However, a cookie can be artificially banned, and there must be other mechanisms that can still pass the session ID back to the server when the cookie is banned.

Second, the difference

1. The cookie data is stored on the client's browser and the session data is placed on the server.

2. Cookies are not very secure and others get cookies stored locally for analysis to achieve cookie spoofing.
   So consider that security should use the session to store important information such as login information as a session, other information if necessary to keep can be placed in a cookie.

3. cookies are valid only until the cookie expiration time is set, even if the window or browser is closed . The session will be saved on the server for a certain amount of time. When the increase in access, will be compared to the performance of your server to reduce the performance of the server, you should use cookies.

4. The existence of a cookie also affects caching, and generally a single cookie cannot hold more than 4K of data.

5. cookie data is always carried in the same-origin HTTP request, that is, the cookie is passed back and forth between the browser and the server. cookies are shared across all homologous windows.

The difference between a cookie and a session