A Simple Understanding of session and cookie

0. Introduction, why do we want cookie and session

Because http requests are stateless (the user's login status cannot be recorded, etc.), a mechanism is required to store information such as the user's login status. Next time you access the web service, you do not need to check the login status again. The session and cookie mechanisms are the server-side and browser-side solutions, respectively.

1. About cookie

1.1 What is cookie

cookie, original biscuit.Used to store the user's status information on the browser side, and then bring it back to the back end when accessing the back end.

cookie mainly includes: name, value, expiration time, path and domain

Classification of 1.2 cookie

The session cookie saves the cookie without setting an expiration time in the browser's memory, closes the browser, and the cookie is destroyed. (Often used as session)

Normal cookie sets expiration time to save on hard disk

1.3 How to apply

When making a request: The browser checks all stored cookies and sends an cookie attached to the request resource's HTTP request header to the server if its declared scope (determined by path and domain) is greater than or equal to the location of the resource to be requested.

When processing a request: On the server side, 1 generally checks the cookie information in the request header (for example, login checks), if the checks pass, the actual business processing can be carried out.

If the check fails, for example, if the cookie is not found or the cookie information is incorrect (possibly a forgery), skip transferring its login, and then return the cookie information in the response after the login is completed. The browser will save the cookie information on the hard disk or in memory for next use based on the returned cookie information.

2. About session

2.1 What is session

session is used to save user status information on the server side.

2.2 How to use

When the browser makes a request, the server first reads the session information in the request header.If no session information is found or this sessionid cannot be retrieved locally, then a new sessionid is generated and stored on the server hard disk or memcache.

The browser receives a response that will save one copy of the returned sessionID in local memory for the next request.One of the local implementation scenarios for session is to save information on cookie, but in fact cookie is not the only solution for session to save. It can also be overridden using url (session id is attached directly to the back of the URL path).

3. Major differences between cookie and sessiond

1. slightly different storage locations

The cookie data is stored in the client's browser and not on the server side.session data is placed on the server and there is also a copy of local memory.

2. Security is different

cookie is less secure than session.Because ordinary cookie is stored on the local hard disk, hackers can forge url and other means to launch xss attacks to obtain cookie in the saved state of the local hard disk, and then steal sensitive information from users.

session is different. xss attacks can only get session information when a user logs in to the website. When the browser is closed, session is destroyed, which is safer than cookie.

3. Differences in cross-domain support

Cookie supports cross-domain access, such as setting the domain property to'.biaodianfu.com', which is accessible to all domain names suffixed with'.biaodianfu.com'.Cross-domain Cookie is now widely used in networks, such as Google, Baidu, Sina, etc.Session does not support cross-domain access.Session is valid only in his domain name.

4. Different server pressures

Session is stored on the server side, and each user generates an Session.If concurrently accessed users have more than 10 points, they will generate more than 10 points of Session, consuming a lot of memory.Therefore, it is unlikely to use Session to track customer sessions on sites with high concurrent visits such as Google, Baidu, and Sina.COOKIE should be used to mitigate server performance.

5. Different access modes

Only ASCII strings can be stored in Cookie. If you need to access Unicode characters or binary data, you need to encode them first.Java objects are also not directly accessible in Cookie.To store slightly more complex information, using Cookie is a challenge.

Session can access any type of data, including and not limited to String, Integer, List, Map, etc.Session can also directly store Java Bean or any Java class, object, etc. for 10 minutes.Can think of Session as an Java container class.

6. cookie has limited storage size

A single cookie cannot hold more than 4K, and many browsers limit up to 20 cookies to one site.