Understanding cookies and session mechanisms

Session tracking is a common technique used in Web programs to track a user's entire session. Common session tracking techniques are cookies and sessions. The cookie determines the user's identity by logging information on the client, and the session determines the user's identity by logging information on the server side.

This chapter will systematically describe the cookie and session mechanism, and compare when it is not possible to use cookies and when to use the session.

Cookie mechanism

In the program, session tracking is a very important thing. Theoretically, all request actions for one user should belong to the same session, and all request actions for another user should belong to another session, and they should not be confused. For example, any item that user a buys in a supermarket should be placed in A's shopping cart, regardless of when user a buys it, it belongs to the same session and cannot be placed in User B or User C's shopping cart, which is not part of the same session.

The Web application transmits data using the HTTP protocol. The HTTP protocol is a stateless protocol. Once the data has been exchanged, the client-to-server connection is closed, and exchanging the data again requires establishing a new connection. This means that the server is unable to track the session from the connection. That is, user a purchases a product into the shopping cart, and when the product is re-purchased, the server is unable to determine whether the purchase is a session of user A or User B. To track this session, you must introduce a mechanism.

Cookies are such a mechanism. It can compensate for the lack of HTTP protocol stateless. Before the session, basically all websites use cookies to track conversations.

What is a cookie

Cookies mean "Cookie", which is a mechanism developed by the Netscape community, which is proposed by the group. Cookies are now standard and all major browsers such as IE, Netscape, Firefox, and opera support cookies.

Because HTTP is a stateless protocol, the server does not know the identity of the client from the network connection. What do we do? Give the client a pass, one per person, who must bring their own pass for whoever accesses it. This allows the server to confirm the identity of the client from the pass. That's how cookies work.

A cookie is actually a small piece of text information. The client requests the server and, if the server needs to log the user state, uses response to issue a cookie to the client browser. The client browser will save the cookie. When the browser requests the site again, the browser submits the requested URL along with the cookie to the server. The server checks the cookie to identify the user state. The server can also modify the contents of the cookie as needed.

It's easy to see the cookies issued by a website. Enter Javascript:alert (document. cookie) in the browser address bar (requires a network to view). The JavaScript script pops up a dialog box showing the contents of all cookies issued on this website.

The Pop-up dialog box displays the cookie for the Baidu website. One of the first line Baiduid record is the author's identity Helloweenvsfei, but Baidu uses a special method to encrypt the cookie information.

Note: The cookie feature requires browser support. If the browser does not support cookies (such as the browsers in most phones) or if the cookie is disabled, the cookie function will expire. Different browsers use different ways to save cookies. IE browser is “C:\Documents and Settings\你的用户名\Cookies” saved as a text file under the folder, and a text file holds a cookie.

Record number of user visits

In Java, the cookie is encapsulated into the Javax.servlet.http.Cookie class. Each cookie is an object of the cookie class. The server operates on the client cookie by manipulating the cookie class object. by Request.getcookie () gets all the cookies submitted by the client (returned in the cookie[] array), and sets the cookie to the client through Response.addcookie (Cookiecookie).

The cookie object saves the user state in the form of a Key-value property pair, a cookie object that holds a property pair, and a request or response uses multiple cookies at the same time. Because the cookie class is located under Package javax.servlet.http.*, it is not necessary to import the class in the JSP.

Non-cross-domain names of cookies

Many websites use cookies. For example, Google will issue Cookie,baidu to clients and also issue cookies to clients. Will the browser's access to Google also carry the cookies issued by Baidu? Or can Google change the cookie issued by Baidu?

The answer is in the negative. Cookies have non-cross-domain names. According to the cookie specification, browser access to Google only carries Google's cookies and does not carry Baidu's cookies. Google can only operate Google's cookies and not operate Baidu's cookies.

Cookies are managed by the browser on the client side. The browser can guarantee that Google will only operate Google's cookies without manipulating Baidu's cookies, thereby ensuring the privacy of the user. The browser determines whether a Web site can manipulate another site cookie based on the domain name. Google does not have the same domain name as Baidu, so Google cannot manipulate Baidu's cookies.

Note that although the site images.google.com and the site www.google.com belong to Google, but the domain name is not the same, both can not operate each other's cookies.

Note: When a user logs on to the site www.google.com will find that the login information is still valid when accessing images.google.com, and ordinary cookies are not available. This is because Google has made a special deal. Cookies are also treated similarly in the following chapter.

Understanding cookies and session mechanisms