What is the connection and difference between cookies and sessions?

The http protocol is stateless, but many applications require the server to grasp the status of the client, such as online shopping. At this time, cookies and sessions play their roles.

The difference between cookies and sessions The contact

cookie mechanism adopts the solution of maintaining state on the client, while the session mechanism adopts the solution of Server-Keeping-State scheme, but the server-side keeping-status scheme also needs to save an identity on the client, so the session mechanism may need to use the cookie mechanism to achieve the purpose of saving the identity, but in fact it has other Select

cookie mechanism

• cookie technology
  Identify the user's identity, perform session tracking and store the data on the user's local terminal (usually encrypted)

• cookie component

  1. The cookie header of the http response message Line
  2. Cookie header line of the http request message
  3. Cookie file saved on the client host and managed by the browser
  4. Backend database on the web server

• Cookie Principle
  

Cookie distribution is achieved by extending the http protocol. The server adds a line of special instructions to the http response header to Prompt the browser to generate the corresponding cookie according to the instructions, but there is one thing to pay attention to. Pure client-side scripts such as javascript or vbscript can also generate cookies, so there are potential security risks.

The use of cookies is automatically sent to the server in the background by the browser according to certain principles. The browser checks all cookies. If the declared scope of the cookie is greater than the location of the resource to be requested, the cookie is attached to the HTTP header of the requested resource and sent to the server.

The content of the cookie mainly includes : Name, value, expiration time, path and domain. The path and domain together constitute the scope of the cookie. If the expiration time is not set, it means that the life cycle of this cookie is during the browser session. If the browser window is closed, the cookie will disappear. This type of cookie whose life cycle is session is called a session cookie. Session cookies are generally not stored on the hard disk, but are stored in memory. If an expiration time is set, the browser will save the cookies to the hard disk. After closing and opening the browser again, these cookies will still be valid until the set expiration time is exceeded. Cookies stored on the hard disk can be used in different browser processes. Sharing

session mechanism

In WEB development, the server can create a session object (session object) for each user browser. Note: One browser owns one session object (by default). Therefore, when user data needs to be saved, the server program can write the user data to a session exclusive to the user's browser. When the user uses the browser to access other programs, other programs can retrieve the user's data from the user's session. User Services.

Session is a server-side mechanism. The server uses a structure similar to a hash table to save information. When the program needs to create a session for a client's request, the server first checks whether the client's request has been Contains a session identifier (called sessionid).

If it is included, it means that a session has been created for this client before. The server will retrieve this session according to the session id and use it. If it cannot be retrieved, it will create a new one.

If the client request does not include a session id, create a session for the client and generate a session id associated with this session. The value of the session id should be unique and irregular, and cannot be easily forged. String, this session id will be returned to the client for storage in this response.

The method of saving this session id can use cookies, so that during the interaction process, the browser can automatically send this identification to the server according to the rules. Generally, the name of this cookie is similar to SESSIONID, but cookies can be artificially disabled, so there must be other mechanisms so that the session id can still be sent to the server when cookies are disabled.

A frequently used one This technique is called URL rewriting, which is to append the session id directly to the end of the URL path. There is also a technology called Form Hidden Field. That is, the server will automatically modify the form and add a hidden field so that the session id can be sent to the server when the form is submitted, for example:

<form name="testform" action="/xxx"> 
<input type="hidden" name="jsessionid" value="ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBng!-145788764"> 
<input type="text"> 
</form>

To sum up, the difference can be summarized as follows

• Cookie data is stored on the client's browser, session data is stored on the server

• Cookie data is not very secure and can be analyzed by others Store local cookies and perform cookie spoofing, so it is better to store important information such as login information in the session. If other information needs to be retained, it can be stored in cookies.

• session will be in It is stored on the server for a certain period of time. When access increases, it will consume more server performance

• The data saved by a single cookie cannot exceed 4k, and many browsers limit a site to save up to 20 cookies

http protocol It is stateless, but many applications require the server to grasp the status of the client, such as online shopping. At this time, cookies and sessions play their roles

The above is the detailed content of What is the connection and difference between cookies and sessions?. For more information, please follow other related articles on the PHP Chinese website!