0. Introduction, why do we need cookies and sessions
Because http requests are stateless (the user's login status cannot be recorded, etc.), a certain mechanism is needed to save the user's login status and other information. The next time you access the web service, you do not need to verify whether to log in or other status again. The session mechanism and the cookie mechanism are solutions on the server and browser side respectively.
1. About cookies
1.1 What is a cookie
Cookie, original meaning cookies. It is used to store user status information on the browser side, and then bring this part of the information back to the backend when accessing the backend.
The content of cookies mainly includes: name, value, expiration time, path and domain
1.2 Category of cookies
Session cookies Cookies that do not set expiration time are saved in the browser's memory. If the browser is closed, the cookies will be destroyed. (often used as session)
Normal cookies set the expiration time and save it on the hard drive
1.3 How to apply
When initiating a request: The browser checks all stored cookies. If the scope of action declared by a cookie (determined by the path and domain) is greater than or equal to the location of the resource to be requested, the cookie is attached to the HTTP request header of the request resource and sent to the server.
When processing requests: On the server side, the cookie information contained in the request header is generally checked (such as login check). If the check is passed, the actual business processing can be carried out.
If the verification fails, such as not finding the cookie or the cookie information is incorrect (maybe forged), jump to log in, and after logging in, return the cookie information in the response. The browser will save it on the hard disk or memory based on the returned cookie information for next use. ,
2. About session
2.1 What is session
session is used to save user status information on the server side.
2.2 How to use
When the browser initiates a request: the server will first read the session information in the request header. If the session information is not found or the sessionid cannot be retrieved locally, if it is not, a new sessionid will be generated and stored in the server hard disk or memcache.
The browser receives a response: the returned sessionID will be saved in local memory for use on the next request. One of the implementations of the session saved locally is to save information on cookies, but in fact, cookies are not the only solution to save sessions. It is also possible to use url rewrites (append the session id directly behind the URL path).
3. The main differences between cookies and sessiond
1. There is a slight difference in the storage location
Cookie data is stored on the client's browser and does not need to be saved on the server side. The session data is placed on the server and there is also a copy of the local memory.
2. Different safety
Cookies are not as secure as session. Because ordinary cookies are saved on the local hard disk, hackers can launch XS attacks by forging URLs and other means to obtain cookies in the local hard disk saved state, and then steal users' sensitive information.
Session is different. Only when an xss attack is launched when a user logs into this website can the session information be obtained. After closing the browser, the session will be destroyed. The security is better than cookies.
3. Differences in cross-domain support
Cookies support cross-domain access. For example, if the domain attribute is set to ".biaodianfu.com", then all domain names with the suffix ".biaodianfu.com" can access the cookie. Cross-domain cookies are now widely used on the Internet, such as Google, Baidu, Sina, etc. Session does not support cross-domain access. Session is only valid within the domain name he is in.
4. The difference in server pressure
Session is stored on the server side, and each user will generate a session. If there are many users who access concurrently, it will generate a lot of sessions and consume a lot of memory. Therefore, it is unlikely that websites like Google, Baidu, and Sina with extremely high concurrent visits can be tracked using Session. Considering the reduction of server performance, COOKIE should be used.
5. Different access methods
ASCII strings can only be stored in cookies. If Unicode characters or binary data are required, encoding is required first. Java objects cannot be accessed directly in cookies. To store slightly complex information, using cookies is quite difficult.
The Session can access any type of data, including but not limited to String, Integer, List, Map, etc. In the Session, Java Beans and even any Java classes, objects, etc. can be directly stored, which is very easy to use. You can think of Session as a Java container class.
6.The size of cookies is limited
The data saved by a single cookie cannot exceed 4K, and many browsers restrict a site to save up to 20 cookies.
The above simple understanding of session and cookies is all the content I share with you. I hope you can give you a reference and I hope you can support Wulin.com more.