one , something in common :
cookie and session Are used to track the browser user identity of the session mode .
two , working principle :
1.Cookie How does it work
(1) The browser sends the request to the server for the first time
(2) Server side creation Cookie, The Cookie Contains information about the user , Then the Cookie Send to browser
(3) When the browser side visits the server side again, it will carry the data created by the server side Cookie
(4) Server side through Cookie The data carried in can distinguish different users
2.Session How does it work
(1) The browser sends the request to the server for the first time , Create one on the server side Session, At the same time, a special Cookie(name by JSESSIONID Fixed value of ,value by session Object ID), Then the Cookie Send to browser
(2) Browser sends the second N(N>1) One request to the server , When the browser side accesses the server side, it will carry the data name by JSESSIONID Of Cookie object
(3) Server side according to name by JSESSIONID Of Cookie Of value(sessionId), To inquire Session object , So as to distinguish different users .
name by JSESSIONID Of Cookie non-existent ( Close or change browser ), return 1 Re create in Session And special Cookie
name by JSESSIONID Of Cookie existence , according to value In SessionId To find out session object
value by SessionId non-existent **(Session Object survives by default 30 minute )**, return 1 Re create in Session And special Cookie
value by SessionId existence , return session object
Session Working principle diagram of
three , difference :
cookie The data is saved in the client ,session The data is stored in the server .
session
In a nutshell , When you go to a website , If web The server uses session, Then all the data is saved on the server , The client sends the current session every time it requests the server sessionid, Server based on current sessionid Determine the corresponding user data flag , To determine whether the user logs in or has certain permissions . Because the data is stored on the server , So you can't fake it .
cookie
sessionid It is randomly assigned when the server and client connect , If the browser uses cookie, Then all the data are saved in the browser , For example, after you log in , The server is set up cookie user name , So when you request the server again , The browser will send the user name to the server , These variables have some special marks . The server will interpret as cookie variable , So as long as you don't close the browser , that cookie Variables are always valid , So it can ensure that the line will not drop for a long time .
If you can intercept a user's cookie variable , Then forge a packet and send it , So the server is still I think you're legal . therefore , use cookie It's more likely to be attacked .
If cookie Valid values are set , that cookie Will be saved to the client's hard disk , The next time you visit the website , The browser first checks to see if there is any cookie, If there is one , read cookie, Then send it to the server .
So you saved a forum on the machine cookie, It is valid for one year , If someone invades your machine , Put your cookie Handcuffed away , Under his machine , So when he logs in to the website, he logs in with your identity . of course , You need to pay attention to forgery , direct copy
cookie File to cookie catalogue , Browsers don't recognize it , He has one index.dat file , Stored
cookie Establishment time of documents , And whether there are any changes , So you have to have the website first cookie file , And to cheat the browser from the guaranteed time
Both can be used for private storage ,session Expired or not , It depends on the settings of the server .cookie Expired or not , Can be in cookie Set it when generating .
four , Difference and contrast :
(1)cookie The data is stored in the customer's browser ,session The data is put on the server
(2)cookie It's not very safe , Others can analyze the data stored locally COOKIE And carry on COOKIE deception , If the main consideration is safety, it should be used session
(3)session It will be stored on the server for a certain period of time . When visits increase , It will compare the performance of your server , If the main consideration is to reduce server performance , Should be used COOKIE
(4) single cookie The limit on the client side is 3K, That is to say, a site is stored in the client COOKIE No 3K.
(5) therefore : Store important information such as login information as SESSION; Other information should be retained if necessary , Can be placed in COOKIE in
Technology