Shulou(Shulou.com)06/02 Report--

How to analyze the difference and relationship between cookie and SESSION, I believe that many inexperienced people do not know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

In some occasions such as voting, we often require each person to have only one vote because of the principle of fairness, and there is a similar situation in some WEB developers. In this case, we usually use COOKIE to implement it, such as the following code:

This is a very easy to understand the truth, to detect the existence of COOKIE, if the existence of the description has been run into the COOKIE code, however, run the above code, whenever the result is the implementation of doStuffForReturnVisitor (), through the control panel-Internet options-settings-view the file but never see the generated cookie file, strange, there is no problem with the code, but since there is cookie, then show to have a look.

Cookie [] cookies = request.getCookies ()

If (cookies.lenght = = 0 | | cookies = = null)

Out.println ("Has not visited this website")

}

Else

{

For (int I = 0; I < cookie.length; iTunes +)

{

Out.println ("cookie name:" + cookies [I] .getName () + "cookie value:" +

Cookie [I] .getValue ()

}

}

Running result:

Why does cookie name:JSESSIONID cookie value:KWJHUG6JJM65HS2K6 have cookie? as we all know, http is a stateless protocol. Every time a customer reads a web page, the server opens a new session, and the server does not automatically maintain the customer's context information. So how can we realize the shopping cart in the online store? session is a mechanism for saving context information, which is for every user. We usually don't see JSESSIONID, but when we disable cookie in the browser, the web server will pass Sessionid in the way of URL rewriting, and we can see strings such as sessionid=KWJHUG6JJM65HS2K6 in the address bar.

Knowing the principle, we can easily tell the difference between persistent cookies and session cookie, and the online discussions about the security of both are clear. Session cookie for a session, the end of the session session cookie disappears, while persistent cookie is just a piece of text (usually encrypted) on the client's hard disk and may be deceived by cookie and cross-site scripting attacks against cookie Naturally, it's not as safe as session cookie.

Usually, session cookie cannot be used across windows. When you open a new browser window and enter the same page, the system will give you a new sessionid, so that our purpose of information sharing can not be achieved. At this time, we can save the sessionid in persistent cookie, and then read it in the new window to get the previous window SessionID. In this way, we can achieve cross-window session tracking (session tracking) through the combination of session cookie and persistent cookie.

In some books developed by web, it is often simple to use Session and cookie as two parallel ways for http to transmit information. Session cookies is located on the server side and persistent cookie is located on the client side, but session is based on cookie. If we understand the connection and difference between the two, it is not difficult for us to choose the appropriate technology to develop web service.

-

The difference and relation between cookie and session Mechanism

Specifically, the cookie mechanism adopts the scheme of keeping the state on the client side. It is the storage mechanism of session state on the client side, and it requires the user to open the cookie support of the client. The function of cookie is to solve the stateless defect of HTTP protocol.

The session mechanism uses a solution that maintains the state between the client and the server. At the same time, we also see that the scheme of keeping state on the server side also needs to save an identity on the client side, so the session mechanism may need to rely on the cookie mechanism to achieve the purpose of preserving the identity. Session provides a convenient way to manage global variables.

Session is for each user, the value of the variable is stored on the server, and a sessionID is used to distinguish which user session variable. This value is returned to the server through the user's browser when accessing. When the client disables cookie, this value may also be set to get to return to the server.

In terms of security: when you visit a site that uses session and set up a cookie on your computer, it is recommended that the server-side SESSION mechanism be more secure. Because it does not arbitrarily read the information stored by the customer.

Orthodox cookie distribution is achieved by extending the HTTP protocol, and the server prompts the browser to generate the corresponding cookie according to the instructions by adding a special instruction to the HTTP response header

From a web server point of view, all HTTP requests are independent of previous requests. That is to say, each HTTP response completely depends on the information state management mechanism contained in the corresponding request, which overcomes some limitations of HTTP and allows the network client and server to maintain the relationship between requests. The period during which this relationship is maintained is called session.

A Cookies is a small piece of text that the server stores on the local machine and is sent to the same server with each request. IETF RFC 2965 HTTP State Management Mechanism is a general cookie specification. The web server uses the HTTP header to send cookies to the client. At the client terminal, the browser parses these cookies and saves them as a local file. It automatically binds these cookies to any request from the same server.

-

Differences and connections between cookie and session mechanisms

Specifically, the cookie mechanism adopts the scheme of maintaining state on the client side, while the session mechanism adopts the scheme of maintaining state on the server side. At the same time, we also see that because the scheme of keeping state on the server side also needs to save an identity on the client side, the session mechanism may need to save the identity with the help of the cookie mechanism, but in fact it has other options.

Cookie mechanism. Orthodox cookie distribution is achieved by extending the HTTP protocol, and the server prompts the browser to generate the corresponding cookie according to the instructions by adding a special instruction to the response header of the HTTP. However, pure client script such as JavaScript or VBScript can also generate cookie. The use of cookie is automatically sent to the server by the browser in the background according to certain principles. The browser checks all stored cookie, and if the scope declared by a cookie is greater than or equal to the location of the resource to be requested, the cookie is attached to the HTTP request header of the requesting resource and sent to the server.

The content of cookie mainly includes: name, value, expiration time, path and domain. Together with the domain, the path forms the scope of cookie. If the expiration time is not set, the lifetime of the cookie is during the browser session. Close the browser window and the cookie disappears. A cookie whose lifetime is a browser session is called a session cookie. Session cookie is generally not stored on the hard disk but in memory, of course, this behavior is not specified by the specification. If the expiration time is set, the browser will save the cookie to the hard drive, close and open the browser again, and the cookie will remain valid until the set expiration time is exceeded. Cookie stored on the hard disk can be shared between different browser processes, such as two IE windows. For cookie stored in memory, different browsers have different processing methods.

Session mechanism. The session mechanism is a server-side mechanism, and the server uses a structure similar to a hash table (that is, perhaps a hash table) to hold information.

When a program needs to create a session for a client's request, the server first checks whether the client's request contains a session identity (called session id). If it does, it means that a session has been created for this client before, and the server retrieves the session according to session id (if it cannot be retrieved, a new one will be created). If the client request does not contain session id The value of creating a session for this client and generating a session id,session id associated with this session should be a string that is neither repetitive nor easy to find rules to fake, and the session id will be returned to the client in this response.

The session id can be saved using cookie, so that the browser can automatically play the identity to the server according to the rules during the interaction. Generally speaking, the name of this cookie is similar to SEEESIONID. However, cookie can be artificially disabled, and there must be other mechanisms to pass session id back to the server when cookie is disabled.

A technique that is often used is called URL rewriting, which appends session id directly to the URL path. There is also a technique called form hiding fields. The server automatically modifies the form to add a hidden field so that the session id can be passed back to the server when the form is submitted. In fact, this technique can be simply replaced by applying URL rewriting to action.

After reading the above, have you mastered how to analyze the difference and relationship between cookie and SESSION? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.