Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞
Cookie|session and understanding of Session and Cookie
The debate on the session seems to have never stopped, but the people who can understand the session should account for more than 90. But tell me, don't be too old
Some people agree to use the session, some people do not agree. But the question is exactly how to say. Listen to my opinion, if there is a mistake, please do not throw things, except gold bars and coins.
Some people should know that I am to do the lake procedure, and the river-Lake procedure is to do the fancy is the efficiency, but here does not talk about the design, but from some more practical angle to see the session.
The first thing to say is what the session is about, the session is a user information storage mechanism that can be used to store IE for one user and any window opened through its current window. Why do you say that? Look at the bottom first to study how the session started, when you open IE after browsing the site will issue an instruction request SessionID and the various types of data download license, such as pictures, sounds and flash.
Data actual transmission content: IE to server
Accept:image/gif, Image/x-xbitmap, Image/jpeg, Image/pjpeg, Application/x-shockwave-flash, */*
user-agent:mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
The server will return an unused sessionid let ie use, then IE to return SessionID do storage
and also return the relevant page download data, as follows: server to IE
Date:sun, Nov 2003 16:41:51 GMT
Then is the page HTML code at this time the IE program (not the client) of the SessionID on the IBOMFONAOJFEEBHBPIENJFFC and when IE in access to any of the site's ASP program, Will send IBOMFONAOJFEEBHBPIENJFFC to the server, the server will know that IBOMFONAOJFEEBHBPIENJFFC is to represent you and set the session on the server ("name") = "Name" can be considered as session ("IBOMFONAOJFEEBHBPIENJFFC") ("name") = "Name"
Session (SESSIONID) ("name") = "Name"
In this way, the session on the area separate users.
And when the server feedback this ID will see if this ID is used. If there is a change in
It's not going to make you repeat, but it's OK to impersonate someone's session ID to cheat. However, to get to the other side IE transmission signal, and in order to ensure that the SessionID has not been canceled in the case can be implemented.
But if I had the time to go straight through the post signal to him name and pass. I do not have the strength, presumably some people understand how SessionID is working, then look at cookies, some people say SessionID is a cookie, according to technically they do not belong to the same, but belong to a mode of work, Users and servers transmit private data. When I set up cookies, the server feeds ie an instruction. IE generates cookies and stores it through this network instruction, and gets this information at a particular time when visiting the site and Cookid is valid.
Look at the difference.
Effective time and storage mode for transferring content
Cookies can set and retain the plaintext information locally
Session in IE does not shut down and the server does not timeout only SessionID
Because he can keep it for quite a long time (before the cookie record is deleted or before the expiration date)
And the session can not, he will not be retained for too long, and IE after the shutdown automatically cleared the SessionID record
The next time you log in, you will request a new SessionID.
If you are using user permissions to set users. The user's plaintext is transmitted to the server when IE accesses it.
So if I pass a certain means, such as directly modify the cookie record, the user changes to admin it ~ ~
I'm in trouble.
But storing information such as user names and passwords or the color scheme of a Web site is best with cookies
Okay, a little tired, talking about this thing.
I want some people to pass this request.servervariables ("Http_referer")
To make some key restrictions, especially against remote submissions and illegal intrusion.
Then I would like to remind the server to obtain the Http_referer information is completely IE transmission to the server, you can simulate
and difficult, in less than half an hour can be used to make a VB for Http_referer intrusion program.
(Unfortunately, I originally he did not do serious things, do the web Game Hanging Machine Program)
This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or
reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or
complaint, to email@example.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
and provide relevant evidence. A staff member will contact you within 5 working days.