Shulou(Shulou.com)06/02 Report--

In technical interviews, we are often asked to "tell me the difference between Cookie and Session". As we all know, Session is stored on the server side and Cookie on the client side. However, if you are asked to explain in more detail, how many points can you say? Today, Tuijun will talk to you about "Cookie and Session".

What is Cookie?

Judging from the meaning of the word itself:

Cookie:

n. Cookies; desserts.

N-COUNT A cookie is a piece of computer software which enables a website you have visited to recognize you if you visit it again. When you visit a website again, the computer software that enables the website to identify the visitor.

Cookie is a mechanism for the client to save user information, which is used to record some user information. How to identify specific customers? Cookie can do it. Each time a HTTP request is made, the client sends the corresponding Cookie information to the server. Its expiration time can be set at will, and if you don't take the initiative to clear it, you can keep it for a long time, even if you turn off your computer in the meantime.

Since it is stored on the client side, in other words, by some means I can tamper with locally stored information to deceive some policies of the server, what should I do? Let's press the No Table first and take a look at another friend-Session.

What is Session?

Again, let's take a look at the interpretation:

Session:

General interpretation: n. A meeting; a session of a court; a session of parliament, etc; a semester; a workshop

Computer interpretation: conversation

Session is a mechanism used to identify specific users when the server records the status of users under the stateless HTTP protocol. It is a data structure saved on the server side to track the status of users, which can be saved in files, databases, or clusters. This Session disappears after the browser is closed, and the next time you open it, you will no longer have the Session. In fact, it is not that Session has disappeared, but Session ID has changed. The server may still store your last Session ID and its Session information, but they are in an ownerless state and may be deleted after a period of time.

In fact, both Cookie and Session are a way of conversation. Their typical use scenarios, such as "shopping cart", when you click the order button, the server does not know the specific actions of a specific user. In order to identify and track the user and find out how many items are in the shopping cart, the server obtains this information by creating a Cookie/Session for the user.

If your site is a multi-node deployment and uses Nginx for load balancing, there may be a loss of Session (for example, suddenly unlogged in). In this case, you can use IP load balancer (IP binds ip_hash, and each request is allocated according to the hash result of accessing the ip, so that each visitor accesses a back-end server regularly, which can solve the Session problem), or the Session information is stored in the cluster. In large websites, there is usually a special cluster of Session servers to hold user sessions, and caching services such as Memcached or Redis can be used to store Session.

At present, most applications use Cookie to achieve Session tracking. When you create a Session for the first time, the server will feed back to the client in the HTTP protocol, and you need to record a Session ID in the Cookie so that you can tell who you are with each request in the future. Someone asks, what if the client browser disables Cookie? It is recommended to use URL rewriting technology for session tracking, that is, for each HTTP interaction, parameters such as sid=xxxxx are appended to the URL so that the server can identify the user accordingly.

Change your position ~

The communication between the client and the server can be understood as follows:

For example, when you think a lecturer speaks very well at a technology sharing salon, he asks him a few questions after the meeting, and he answers these questions. This is a conversation. But the lecturer was so popular that the staff collected questions and gave each questioner a number board, which in turn gave answers and told the appropriate person. This is Session. After a while, when you meet this lecturer again, he finds that you have the answer that replied to you last time, knowing that you are the studious programmer. So you are ecstatic, wow, the lecturer actually recognized me, this is Cookie, your dessert. The client is like the technical enthusiast who attends the lecture, and the server is the lecturer.

Cookie can also be used in some user-friendly scenarios. For example, if you have logged on to a website once, and you don't want to enter your account again the next time you log in, what should you do? This information can be written into Cookie, and when visiting the site, the script on the site page can read this information, automatically fill in the user name, make it easy for users to use, and give users some sweetness.

Summary:

1. Cookie is on the client side (browser) and Session is on the server side.

2. The security of Cookie is general. Others can analyze the Cookie stored locally and cheat on Cookie. Under the premise of safety first, Session is better. Important interactive information, such as permissions, should be placed in Session, and general information records should be put in Cookie.

3. The data saved in a single Cookie cannot exceed 4K, and many browsers limit a site to 20 Cookie.

4. Session can be placed in a file, database, or memory, such as saving Session in redis when using Node. Because it is saved on the server for a certain period of time, when access increases, it will greatly occupy the performance of the server. In order to reduce server performance, Cookie should be used in due course.

5. The operation of Session depends on Session ID, and Session ID is stored in Cookie, that is, if the browser disables Cookie,Session, it will also fail (but it can be achieved in other ways, such as passing Session ID in url).

6. Session is usually used for user verification. Therefore, the core of maintaining a session is the unique identity of the client, namely Session ID.

Beside the point, can Session Cookie be tampered with?

Theoretically, as long as you change the Session ID of the connection.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.