The difference between a cookie and a session

1.cookie is a text string handle sent to the client's browser and stored on the client's hard disk, which can be used to persist data between sessions of a Web site.

2.session In fact refers to the time when a visitor arrives from a particular homepage to the point of departure. The session actually uses cookies to process information, and when the user first makes a request, the server creates a cookie on the user's browser, which in fact means that the cookie expires when the session ends.
Note: The name of the cookie created for this user is ASPSessionID. The only purpose of this cookie is to provide a different identity for each user.

The common point of 3.cookie and session is that both cookies and sessions are used to track the user's identity in a browser.

The difference between the 4.cookie and session is that the cookie data is stored on the client and the session data is saved on the server side.
Simply put, when you log in to a website,

• If the Web server side uses the session, then all the data is stored on the server, the client each time the server is requested to send the current session of the SessionID, the server according to the current SessionID to determine the corresponding user data flag, To determine whether the user is logged on or has some kind of permission. Since the data is stored on the server, you can't forge it, but if you can get the SessionID of a logged-on user, it can be successful to forge the user's request with a special browser. SessionID are randomly assigned when the server and client link are not duplicated in general, but if there is a large number of concurrent requests, there is no possibility of duplication.

• If the browser is using a cookie, then all the data is stored on the browser side, such as when you log in, the server set the cookie user name, then when you request the server again, the browser will send the user name piece to the server, these variables have a certain special tag. The server is interpreted as a cookie variable, so as long as the browser is not closed, the cookie variable is always valid, so it can be guaranteed for a long time without dropping the line. If you can intercept a user's cookie variable and then forge a packet to send the past, the server still thinks you're legit. Therefore, the use of cookies is more likely to be attacked. If it is set to a valid time, then it will save the cookie on the client's hard disk, the next time you visit the website, the browser first check whether there is a cookie, if any, read the cookie, and then sent to the server. If you save a forum cookie on a machine that is valid for one year, if someone invades your machine, copies your cookie, and places it under the directory of his browser, then he or she logs in as your identity. So a cookie can be forged. Of course, the forgery of the need for ideas, directly copy the cookie file to the cookie directory, the browser is not recognized, he has a index.dat file, stored the cookie file set up time, and whether there is modification, so you must first have to have the site of the cookie file, And to cheat the browser from the guaranteed time.

5. Two can be used to store private things, also have the term of validity, the difference is that the session is placed on the server, the expiration depends on the service period setting, the cookie is a client, the past or not can be set in the time of the cookie generation.

(1) The cookie data is stored on the client's browser and the session data is placed on the server
(2) Cookies are not very safe, others can analyze cookies stored locally and cookie spoofing, if the main consideration is that security should use the session
(3) The session will be stored on the server for a certain period of time. When the increase in access, will be compared to occupy your server performance, if the main consideration to mitigate server performance, you should use cookies
(4) The limit of a single cookie on the client is 3K, that is, the cookie stored by a site at the client cannot be 3 K.
(5) Therefore: the login information and other important information stored as a session; Other information can be placed in a cookie if it needs to be retained

The difference between a cookie and a session