The distinction and understanding of session and Cookie

Cookie|session and understanding of Session and Cookie
First session.

The debate on the session seems to have never stopped, but the people who can understand the session should account for more than 90. But tell me, don't be too old

Some people agree to use the session, some people do not agree. But the question is exactly how to say. Listen to my opinion, if there is a mistake, please do not throw things, except gold bars and coins.

Some people should know that I am to do the lake procedure, and the river-Lake procedure is to do the fancy is the efficiency, but here does not talk about the design, but from some more practical angle to see the session.

The first thing to say is what the session is about, the session is a user information storage mechanism that can be used to store IE for one user and any window opened through its current window. Why do you say that? Look at the bottom first to study how the session started, when you open IE after browsing the site will issue an instruction request SessionID and the various types of data download license, such as pictures, sounds and flash.
Data actual transmission content: IE to server
get/http/1.1
Accept:image/gif, Image/x-xbitmap, Image/jpeg, Image/pjpeg, Application/x-shockwave-flash, */*
Accept-language0:zh-cn
Accept-encoding:gzip, deflate
user-agent:mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host:www.jh521.com
Connection:keep-alive
The server will return an unused sessionid let ie use, then IE to return SessionID do storage

and also return the relevant page download data, as follows: server to IE
http/1.1 OK
server:microsoft-iis/5.0
Date:sun, Nov 2003 16:41:51 GMT
Content-length:21174..content-type:text/html
SET-COOKIE:ASPSESSIONIDCACBBBRT=IBOMFONAOJFEEBHBPIENJFFC; path=/
Cache-control:private
Then is the page HTML code at this time the IE program (not the client) of the SessionID on the IBOMFONAOJFEEBHBPIENJFFC and when IE in access to any of the site's ASP program, Will send IBOMFONAOJFEEBHBPIENJFFC to the server, the server will know that IBOMFONAOJFEEBHBPIENJFFC is to represent you and set the session on the server ("name") = "Name" can be considered as session ("IBOMFONAOJFEEBHBPIENJFFC") ("name") = "Name"
Or
Session (SESSIONID) ("name") = "Name"
In this way, the session on the area separate users.
And when the server feedback this ID will see if this ID is used. If there is a change in
It's not going to make you repeat, but it's OK to impersonate someone's session ID to cheat. However, to get to the other side IE transmission signal, and in order to ensure that the SessionID has not been canceled in the case can be implemented.

But if I had the time to go straight through the post signal to him name and pass. I do not have the strength, presumably some people understand how SessionID is working, then look at cookies, some people say SessionID is a cookie, according to technically they do not belong to the same, but belong to a mode of work, Users and servers transmit private data. When I set up cookies, the server feeds ie an instruction. IE generates cookies and stores it through this network instruction, and gets this information at a particular time when visiting the site and Cookid is valid.

So why use cookies instead of a session?
Look at the difference.

Effective time and storage mode for transferring content
Cookies can set and retain the plaintext information locally

Session in IE does not shut down and the server does not timeout only SessionID

You can use cookies when you want users to enter the next login without having to type in a username or password.

Because he can keep it for quite a long time (before the cookie record is deleted or before the expiration date)

And the session can not, he will not be retained for too long, and IE after the shutdown automatically cleared the SessionID record

The next time you log in, you will request a new SessionID.

When the server wants to verify the user's state through the user's personal variables, it cannot use cookies

If you are using user permissions to set users. The user's plaintext is transmitted to the server when IE accesses it.

So if I pass a certain means, such as directly modify the cookie record, the user changes to admin it ~ ~

I'm in trouble.

But storing information such as user names and passwords or the color scheme of a Web site is best with cookies


Okay, a little tired, talking about this thing.
Request.ServerVariables ("Http_referer")

I want some people to pass this request.servervariables ("Http_referer")
To make some key restrictions, especially against remote submissions and illegal intrusion.
Then I would like to remind the server to obtain the Http_referer information is completely IE transmission to the server, you can simulate
and difficult, in less than half an hour can be used to make a VB for Http_referer intrusion program.
(Unfortunately, I originally he did not do serious things, do the web Game Hanging Machine Program)