Web Security Test Learning Note (cookie&session)

One, : Meaning: the beginning and ends of a series of actions \ message
1,   implies "connection-oriented"   and "hold state "Two meanings
2,   a solution to maintain state between the client and the server
3,   also refers to the storage structure of this solution "save xx in session inside "

Two, http The protocol was originally stateless, so the introduction of Cookies and the Session mechanism to keep the connection state

Cookie and session Differences and linkages between the mechanisms:
the cookie mechanism uses a method that maintains state on the client
Session The mechanism uses a scenario that maintains state on the server side, because it maintains state on the server side must also require the client to provide an identity,

Third, about cookies mechanism
The use of cookies is automatically sent to the server in the background by the browser in accordance with certain principles, the browser will check all stored cookies, if a when a cookie declares a scope greater than or equal to the location of the resource being requested, The cookie is appended to the HTTP of the requesting resource the request header is sent to the server.
stored on hard disk cookie can be shared between different browser processes, such as two ie window. The cookie , different browsers have different ways of handling , for ie , press on an open window ctrl +   N Windows that are open from the File menu can share the cookie " from the original window. In other ways, the newly opened ie process cannot share the memory of a window that has already been opened cookie 。
The contents of the Cookie include: name, value, expiration time, path and domain

Four, The mechanism of the session
   when a program needs to create one for a client's requestSession, the server first checks to see if the request contains aSessionIdentification (Session ID), if there is, a previous creation for the customerSession, the server will followSession IDput thisSessionretrieved for use, usually aCookiesthe name is similar toSession ID, ifCookieswhen it is forbidden (Cookiescan be artificially banned), often using rewritingURLthe way that putSession IDattached toURLafter the path, in order to maintain state throughout the entire interaction, you must include the following path that each client may requestSession ID.
people thought: "Turn off the browser,SessionIt's just an hour. "Not really, unless the program notifies the server to remove aSession, or the server remains, and the program is typicallyLog Off, send an order to delete it.Session. The reason people have this illusion is that mostSessionwill adoptCookiesto saveSession, while closing the browser after thisSessionis gone, if the server is setCookiesis saved to the hard drive,or use some sort of method to rewrite the browser'shttprequest the head, put the originalSession IDsend to the server, then open the browser again, in fact, can be found again before theSession IDthe. Therefore, setting the failure time can play a certain protective role.

Five, Some questions about the session
1, When the session is created: It is not created when the client accesses it, but is called on the server side Httpservletrequest.getsession (True) is only created.
2,   session when deleted:   a , program call httpsession.invalidate (), B the last time a client received a send from session ID the time interval exceeds session Time-out settings for   C , the server process is stopped (non-persistent session )
  How do I close the browser and close the :   strictly speaking, you can make all client pages use window.onclose to monitor the browser's shutdown and then send a request to the server to delete session , but remains powerless for browser crashes or forced kill processes.