The difference between a cookie and a session

Most browsers now have cookies and session functions, each time they enter a login name and password, or some kind of operation, there will be a cookie reminder, so you want to see the role and the difference between them, It is really a headache to find the session and cookies after reading it.

In the program, session tracking is a very important thing. Theoretically, all request actions for a customer belong to the same session. The request for another session belongs to another session, separate from each other, and does not create confusion. For example, I usually use a more software plump. A person has been to the restaurant, city, the workplace should be placed in the person's course of action, no matter when he went, this is a person's path of action, can not be said to be others. But the web uses the HTTP protocol to transfer data. HTTP is a stateless protocol, and once the data exchange is complete, the client-server connection is closed, and exchanging data again requires a new connection, which means that the server cannot track the session from the connection. When a person has finished the exercise path and data, if there is no tracking session, a few days later he may not know the record of this movement is who? There is a mechanism to track the session.

It's simple because they are all a configuration item of the HTTP protocol, implemented by extending the HTTP protocol, and only a corresponding class in the servlet specification. Sessions and cookies are intended to keep access to the user's interaction with the backend server. They have their own merits and shortcomings, but the irony is that their merits and the scenes they use are contradictory.

Said it is complex mainly in the following two aspects:
First, when our system is large enough that we need to use a lot of cookies, we have to consider the HTTP protocol limits on the number and size of cookies, which is a bottleneck that needs to be addressed.
For example, when a cookie is used to deliver a message, the bandwidth consumed increases as the cookie increases and the amount of traffic is increased. Now generally limit the number of cookies is 20, its total size is less than 4KB. Different browsers have different rules.
Second, when our application system has millions of too server, how to solve the session in the multi-state server sharing problem?
(1). How to write client-side cookies (writes user-logged information to the client)
(2). The way the session data is synchronized between servers (write user login information to a server A, and then start the daemon to sync to another server.) Disadvantage: Slow speed, if it is one-way synchronization, if the a server is bad, it will also affect the other server's working status. ）
(3). Use NFS to share session data in a way that is similar to the MySQL scenario, except that it is stored differently. Basically, there is a public NFS server (Network File server) to do the shared server, the patience is too strong, if the NFS unexpectedly down, will affect the work of other servers)
(4). How the session data is shared using the MySQL database (too patient, the database has problems that affect other servers)
(5). Using hardware devices (more mature, stable, paid)
Cookies are technologies that allow a Web server to store small amounts of data on a client's hard disk or memory, or from a client's hard disk. Cookies are when you browse a website, there is a Web server placed on your hard disk a very small text file, he can record your ID, password, viewed pages and the time spent on the page, mainly to improve user and access speed and efficiency and so on.
It mainly uses the limitations of a person's life, knowledge search reserves and behavioral ideas, and the limitations of the program's access (the presence of the cache), the memory pool (the limitations of physical memory access) are similar, because they do not occur large jumps and changes, so in a very short period of time, if the user-related data is frequently accessed, This data can be cached, which can greatly improve the performance of data access, the role of cookies is here, because the same client requests, each request will be sent with the first access to the server settings information, so that the service can be based on the value of the cookie to divide the user access.
This role is like when you go to the supermarket shopping, the first time you do a shopping card, this shopping card store some of your personal information, the next time you come to this supermarket chain, the supermarket will identify your shopping card, the next time directly shopping is good.
Sometimes we choose to remember the password when logging in, then the next time you log in no longer enter the ID and password, you can log in directly. Of course, most cookies are encrypted, so when I open it, it's just some symbols, numbers and letters. It is stored in the form of a "name/value" pair (Name-value pairs), and a "name/value" Pair is just a named piece of data. A Web site can only read cookies that it places on our computers and cannot read other cookies ' file information. It belongs to the document, not the procedure. The use of cookies is very common, and many websites that provide personalized services use cookies to identify users and to make it easier for users to tailor their content, such as free email sites for web interfaces. Session tracking is a common technique used in Web programs to keep track of a user's entire session. The cookie determines the user's identity by logging information on the client, and the session determines the user's identity by logging information on the server side.

Cookie mechanism. Since HTTP is a stateless protocol, how does the server know the identity of the client from the network? Then send each client a pass, so that when everyone visits with a pass and their own information, the server will be able to confirm the identity of the customer. The Orthodox cookie distribution is implemented by extending the HTTP protocol, and the server prompts the browser to generate the corresponding cookie text file by adding a special line of instructions to the HTTP response header. Pure crushed Javascrip and Vbscrip can also generate cookies. And the use of cookies by the browser in accordance with certain principles in the background automatically sent to the server. The cookie that the browser checks in, and if a cookie declares a scope greater than or equal to the location of the resource being requested, the cookie is attached to the HTTP request header of the requesting resource to the server. Of course, each cookie text file can set an expiration time, if not set time, it means that the life cycle of the cookie is the browser session, the browser is closed, the cookie disappears, the session cookie is generally not saved in the memory of the hard disk. If the expiration time is set, the browser will store it on the hard disk, the browser turns it off again, and these cookies will still be valid until the valid set time is exceeded (then you can enter the password or login name again).

The previous introduction of cookies allows the server to track each client's access, but each time the client returns these cookie data, if the cookie is many, this returns to the problem one, increasing the amount of data transferred between the client and the server. And the session appeared to solve the problem. Each time the same client interacts with the server, it does not need to pass back all the cookie values each time, but only returns an ID, which is generated by the client's first access to the servers, and each client is unique, and this ID can be used in the server's file bag to query the customer's information records. This ID is usually a cookie with name Jsesionid. It is based on cookie work.

Note: Win7 system cookie Storage location: C:\Users\ User name \appdata\roaming\microsoft\windows\cookies Note: "username" is replaced with the user name you logged into the computer, General cookies are a hidden folder, we need to do it, the corresponding property settings to see, open this TXT file you will find all symbols in the symbol letters, this is because the program to encrypt the cookie file operation, which is also necessary, In fact, this is also a disadvantage of cookies, there is a security risk.

Session mechanism: Session is a server-side mechanism, and the server uses a hash-like structure. The use of similar structure to save information, the corresponding increase the storage pressure of the server. When the client browser accesses the server, the server logs the client information to the server in some form, which is the session where the client only needs to find it in the session at the time of the visit. If the cookie mechanism makes it possible to determine a customer's identity by checking the "pass" on the client, the session mechanism verifies the identity by checking the client details on the server side. Session is the equivalent of a client file created by the program on the server (when we register). When a program needs to create a session for a client's request, the server first checks to see if the client's request contains a session flag (session ID), and if it is included, it has previously created a session for that customer. The server follows the SessionID to retrieve the session, use, if the retrieval is not to create a new session and generate a sessionid,session associated with this session is a non-repetition, but not easy to find a regular and easily patterned string , the session ID will be returned to the client in this response to be saved. The way to save this sessionid is to use cookies so that the browser can automatically send this flag to the server during the interactive process. The name of the generic cookie is similar to the session ID. However, a cookie can be artificially banned, and other mechanisms must be guaranteed to allow the cookie to be banned and the session can be passed to the server.

Summarize:

Both the Cookie and the Session are to maintain the continuous state of user access, the reason to maintain this state, on the one hand is to facilitate business implementation, on the other hand is to simplify the service-side program design, improve access performance, but this also brings other challenges, such as security issues, the application of distributed deployment brings The synchronization problem of session and the synchronization of the cross-domain session are a series of problems. This chapter simply analyzes the working principle of the Cookie and Session, and solves two key problems simply.

Overall difference:

(1), the cookie data is stored in the customer's browser, session data on the server (but its implementation is based on a cookie).

(2), if the number of cookies is too large, the data transfer pressure between the client and the server will be increased or decreased. (So a single cookie cannot hold more than 4K of data, and many browsers limit a maximum of 20 cookies per site)
(3), cookies are not very secure, and others can analyze cookies stored locally and make cookie spoofing. For security reasons, such as login key information password should use session.
(4), session will be saved on the server for a certain period of time. When the number of accesses increases, the storage performance of your server will be compared, and cookies should be used in consideration of mitigating server performance.

Refer to the Post information:

http://my.oschina.net/gaollg/blog/71299

http://my.oschina.net/kevinair/blog/192829

http://blog.csdn.net/fangaoxin/article/details/6952954

Http://www.cnblogs.com/shiyangxt/archive/2008/10/07/1305506.html

Http://www.cnblogs.com/friendan/archive/2013/01/02/2842544.html

Http://www.cnblogs.com/thinksasa/archive/2013/03/18/2966992.html

Thank you for sharing this blog!

The difference between a cookie and a session