The process of creating a Cookie and session

the process of creating a Cookie and session

We all know that the HTTP protocol itself is stateless, and the client simply sends a request to the server to download some files, and each request that the client sends to the server is independent. For the current Web application, http "stateless", causing many applications to spend a lot of effort to record the user's operation steps. As we described in the first case, the bank clerk spends a lot of effort to memorize each user's deposit/withdrawal record.

Programmers quickly discovered that if they could provide some of the dynamic information generated on demand, the interactivity of the web would be greatly enhanced. On the one hand, programmers add client-side behaviors such as forms, scripts, and Dom to HTML to increase the interactivity between Web applications and clients. On the other hand, the CGI specification appeared in the server to respond to the client's dynamic request, and the HTTP protocol as the transmission carrier added the features of file upload, cookie and so on. The principle of the cookie is the same as the one we described above using the Passbook record user should be.

In the previous example, we have found that storing information by way of a cookie can be a bit of security, because all the information is written on the client, and the customer may modify or clear the information. Then there is the way the session is used to save user behavior, which is the same way as the previous introduction of the bank card.

In particular, the cookie mechanism uses a scheme that maintains state on the client, while the session mechanism uses a scenario that maintains state on the server side. We also see that the session mechanism may need to use a cookie mechanism to save the identity, but in fact it has other options because the server-side hold-state scheme also needs to preserve an identity on the client side.

the mechanism and principle of cookie and session

Cookie mechanism. Orthodox cookie distribution is implemented by extending the HTTP protocol, and the server prompts the browser to generate the appropriate cookie by adding a special line of instructions to the HTTP response header. However, purely client-side scripts such as JavaScript or VBScript can also generate cookies. And the use of cookies by the browser in accordance with certain principles in the background automatically sent to the server. The browser checks all stored cookies and, if a cookie declares a scope greater than or equal to the location of the resource to be requested, sends the cookie to the server on the HTTP request header of the requesting resource.

The contents of the cookie mainly include: name, value, expiration time, path and domain. The path together with the domain constitutes the scope of the cookie. If you do not set an expiration time, the cookie will be closed for the duration of the browser session. This cookie, which is the lifetime of the browser session, is referred to as a session cookie. Session cookies are generally not stored on the hard disk but are kept in memory, although this behavior is not regulated. If the expiration time is set, the browser will save the cookie to the hard disk, turn it off and open the browser again, and the cookies remain valid until the set expiration time expires. Cookies stored on the hard disk can be shared between different browser processes, such as two IE windows. For cookies stored in memory, different browsers have different ways of handling them.

Session mechanism. The session mechanism is a server-side mechanism that uses a hash-like structure (or perhaps a hash table) to hold information.

When a program needs to create a session for a client's request, the server first checks to see if the client's request contains a session ID------------called the session ID. If it is already included, the session was previously created for this client, and the server retrieves the session using the session ID (not retrieved, creates a new one), if the client request does not include the session ID, Creates a session for this client and generates a session Id,session ID value associated with this session should be a string that is neither duplicated nor easily found to mimic the pattern, this session The ID will be returned to the client in this response to be saved.

This session ID can be saved by using a cookie, so that the browser can automatically play the logo to the server during the interactive process. Generally the name of this cookie is similar to Seeesionid. However, a cookie can be artificially banned, and there must be other mechanisms that can still pass the session ID back to the server when the cookie is banned.
A technique that is often used is called URL rewriting, which attaches the session ID directly behind the URL path. There is also a technique called form-hidden fields. Is that the server automatically modifies the form, adding a hidden field so that the session ID can be passed back to the server when the form is submitted.

Jsessionid?

Jsessionid is only Tomcat's name for SessionID, in fact, SessionID, in other containers may not be called Jsessionid.

-------------------Latest update--------

Terry_huang reply:

To give you a more vivid example, before the university, often go to the coke to drink milk tea, every drink, you can get a stamp (the first time he will give you a credit card), the collection of 6 printing, you can get a cup of tea for free. This way, the printed information is stored in the customer's scorecard, if you are not malicious, you can make a few of the spirit of the printing to cheat tea drink it. Haha, this is not more in line with the client-side hold state. and take the bank card to the bank to withdraw money, our card only need to save a card number, more information is saved in the server, it is also more in line with the server-side hold state. I hope I can help you.

May be my description is not appropriate, the points card and Passbook is similar, the user's access information is stored in the Passbook, the Passbook is in the customer's hand (client) may now very few people use the passbook, or the passbook has been canceled by the bank.

Transferred from: http://www.cnblogs.com/fnng/archive/2012/08/14/2637279.html