Describe session and cookie session control in detail

This article talks about session and cookie session control. If you don’t know about session and cookie session control or are interested in session and cookie session control, then we will Get up and read this article. Okay, without further ado, let’s get to the point

For a front-end developer, I think everyone is familiar with cookies. They often encapsulate some methods such as setcookie and getcookie. Session is like Like a most familiar stranger, we will use it when we cooperate with back-end developers on projects, but we don’t understand its essence. Let’s discuss it in detail

cookie

Storage location: Stored on the client
Function: This domain stores data across pages (we seem to generally use username, password)

Cookie generally contains information as shown below:

##Transmission: The following is an http request message

In every request sent, the cookie will be sent to the background along with the http message

The relationship between cookie and session

session

Below I use php language as a use case to explain session

As can be seen from the above, session is stored on the server side and is stored in the form of a file

session There are many features, such as expiration time, etc. Let's check it out below and open the php.ini file (it contains a lot of configuration information for php, I removed n many
comments)

Let me take a look at the sessionID in detail

It can be seen that this coincides with the above session.name = "PHPSESSID"

We already know how the front-end browser carries the session ID and transmits it to the back-end, as well as the location where the session file is stored in the back-end. How about the specific use of session ID in the back-end to analyze and exploit? We will continue to analyze

In order to analyze the mechanism , please see the following

php code

<?php
    session_start();
    header("Content-Type: text/html;charset=utf-8"); 
    if ($_SESSION[&#39;username&#39;] != &#39;success&#39;) {
        /* /php/index.php为当前文件路径 */
        $string = <<< EOF
            <form action="/php/index.php" method="post">
                <input type="text" name="value">
                <input type="submit">
            </form>
EOF;
        echo $string;
    }
    if ($_SESSION[&#39;username&#39;] == &#39;success&#39;) {
        echo "登录成功".PHP_EOL;
    }
    if ($_POST[&#39;value&#39;] == &#39;ys&#39;) {
        $_SESSION[&#39;username&#39;] = &#39;success&#39;;
        echo "登录成功".PHP_EOL;
    }
?>

Execute the php file and experience the session process

Discover the cookie header of http The sessionID is the same as the server session file name

In this way, the unique session file can be found according to the session requested each time, and then see what this file looks like

username|S:7:"success";s|S:7:"success";ss|S:7:"success";

This is the content of this file, which contains s,ss,username, where s and ss are the names I tested before (can be ignored), that's it

username|S:7:"success";

Then the background can determine the unique session based on the sessionID every time, and set things like $_SESSION['username '] and the like are judged to realize communication between cookies.

Related recommendations:

php session and cookie summary sharing

php session control session, cookie introduction

The above is the detailed content of Describe session and cookie session control in detail. For more information, please follow other related articles on the PHP Chinese website!