The difference between session and cookie and the life cycle of the session _session

Difference:

1, the cookie data stored in the customer's browser,
Session data is placed on the server
2, cookies are not very safe, others can analyze stored in the local cookies and cookie spoofing
Consider that security should use session
3, session will be stored in a certain period of time on the server. When the visit increases, it will take up the performance of your server
Consider the need to use cookies to mitigate server performance
4, a single cookie in the client limit is 3K, that is, a site in the client store cookies can not be 3 K.

5, 300 restrictions I've never heard of a cookie. As we all know, HTTP is a stateless protocol, every time the client reads the Web page, the server opens a new session, and the server will not automatically maintain the client's contextual information, then how to implement the online store shopping cart? , session is a mechanism to save contextual information, it is for each user, the value of the variable is stored on the server side, through SessionID to differentiate different customers, session is based on cookie or URL rewrite, the default use of cookies to achieve, The system creates an output cookie called Jsessionid, which we call the session cookie to distinguish the persistent cookies, which we usually call cookies, and note that the session cookie is stored in the browser memory , is not written to the hard disk, which is what we have just seen jsessionid, we usually do not see the jsessionid, but when we put the browser cookie prohibited, the Web server will rewrite the way the URL to pass SessionID, We can see strings like sessionid= kwjhug6jjm65hs2k6 in the address bar.
Understand the principle, we can easily distinguish between the persistent cookies and the session cookie, the Internet on the security of the discussion is also at a glance, a session cookie for a conversation, Sessions end The cookie disappears, and the persistent cookie is just a piece of text (usually encrypted) that exists on the client's hard disk, and can be compromised by cookie spoofing and cross-site scripting against cookies, which is naturally less secure than the session cookie.
Usually the session cookie is not used across windows, and when you open a new browser window into the same page, the system gives you a new SessionID, so that the purpose of our information sharing is not reached,  At this point we can save the SessionID in a persistent cookie and then read it in a new window to get the previous window SessionID, so that the session cookie and persistent The combination of cookies enables us to implement a cross window session tracking (conversation tracking).

In some web development books, it is often simply the way to send sessions and cookies as two parallel HTTP messages, session cookies are on the server side, and persistent cookies are located on the client, But the session is based on cookies, understand the relationship between the two and the difference, we will not be difficult to choose the right technology to develop Web service.

Life cycle of Session:

We already know that the session was created when the user first visited the site, so when did the sessions be destroyed? In fact, the session uses a technique of smoothing timeouts to control when the session is destroyed. By default, the session time-out period (Timeout) is 20 minutes, which means that the session is retracted for 20 consecutive minutes without the user visiting the site. If the user has visited the page again within 20 minutes, then the 20 minutes will be timed again. In other words, this timeout is a continuous, not-accessed timeout, not 20 minutes after the first visit will be obsolete. Of course, you can adjust the timeout by modifying the configuration entry for the Web.config file, as shown in the following code:

<sessionstate timeout= "></sessionState>"

In addition to the valid time to set the session in Web.config, you can also set it directly in the program, as shown in the following code:

Session.Timeout = "30";

The active time to set the session is 30 minutes, and once the time expires, the program will automatically reassign a new SessionID. However, you do not believe that the timeout attribute of the session, if you set it to 24 hours, it is difficult to believe that 24 hours after the user's session is still. Whether the session exists, depends not only on the Timeout property, but the following situations can cause session loss:
1 The files in the bin directory are overwritten. ASP.net has a mechanism that, in order to ensure that a DLL is recompiled, it will restart the Web site process, which can cause session loss.
2) SessionID is missing or invalid. If you store SessionID in a URL, but using an absolute address redirection site causes the SessionID in the URL to be lost, the original session will fail. If you store SessionID in cookies, the client disables cookies or cookies reach the limit of the number of cookies in IE (20 per domain), then the session will not work.
3 If you use the session of InProc, then the IIS reboot will lose sessions. Similarly, if you use StateServer sessions, the server restarts the session also lost.
The above is a number of reasons that may cause session loss, and sometimes I need to let the session fail immediately. For example, after the user exits the system, all the data saved in the session needs to be invalidated. The processing method is as shown in the following code:

Session.Abandon ();