Cookies and sessions
Cookies and sessions are designed to maintain users' access status. On the one hand, they are designed to facilitate business implementation, on the other hand, they are designed to simplify the program design of the server and improve access performance. Cookie is the technology of the client (that is, the browser). After setting cookies, cookies will be brought in the request every time you visit the server. Session is the technology of the server, which stores the user's access information at the server.
When cookies are used to transfer information, as the number of cookies and the number of visits increase, it will occupy more and more bandwidth; The biggest weakness of using session to save information is that it is not easy to share among multiple servers.
1 Cookie
Generally speaking, when the user accesses the server using HTTP, the server will return some key value pair information to the client browser, and add some restrictions to these data. If the restrictions are met, the user will bring the cookie key value pair information set before the next time he accesses the server. When the user enters a URL, the browser will look for the cookie associated with the URL on the local hard disk. If the cookie exists, the browser sends the cookie to your site together with the page request.
Cookies are associated with websites, not specific pages. Therefore, no matter which page in the site the user requests, the browser and server will exchange cookie information. When users visit different sites, each site may send a cookie to the user's browser; The browser stores all cookies separately.
Cookie property item
There are two versions of the current cookie, version 0 and version 1. They have two response header identifiers, namely "set cookie" and "set cookie 2".
Cookie 0 property value
Cookie 1 property value
Example of using cookies in Java
Some precautions for using cookies (taking Java as an example)
Some limitations of cookies
Cookie is a field in the HTTP header. HTTP itself has no restrictions on this field, but cookies are finally stored in browsers. Different browsers have some restrictions on cookie storage, as shown in the following table:
If you try to store more cookies, the oldest cookie will be discarded.
2 Session
Session solves the problem that more cookies will increase the data transmission volume between the client and the server. When the same client interacts with the server, it does not need to return all cookie values every time, but only one ID value. This ID is generated when the client accesses the server for the first time, and each client is unique, This ID is usually a cookie with the name jsessionid.
How does session work based on cookies? It can be based on URL path parameter; It can also be based on cookies. If the cookie ID in the context container is not modified, it is also supported by default. When the browser does not support the cookie function, the browser will rewrite the user's sessioncookeiename into the URL parameter requested by the user. Its delivery method is like / path / servlet; name=xxx; name2=xxx2? name3=xxx3。 Sessioncookeiename if on the web The session config configuration item is configured in XML, and the name attribute under the cookie config is the value of the sessioncookeiename. If the session config configuration item is not configured, the default session cookienamejiushi is "jsessionid". Note that the cookie associated with session is no different from other cookies. If the client also supports cookies, Tomcat will still resolve the session ID in the cookie and overwrite the session ID in the URL.
How session works
With the session ID, the server can create an httpsession object and call request for the first time Getsession () method. If there is no corresponding httpsession object, a new one will be created and added to org. Org apache. catalina. Saved in the sessions container of the manager. Manage saves all session lifecycles. Sessions expire and are recycled. The server is shut down. Sessions are serialized to disk. Note that a client corresponds to a session object, which stores the session value we created.
request. The standardsession called by the getsession () method will always exist, even if the session associated with this client has expired. If it expires, a new session will be created, but the previously set session value will be lost.
3 Comparison of cookie and session security
Cookies transmit the saved data from the client to the server through the HTTP header, and then from the server to the client. All the data is saved in the client browser, and these data can be accessed. Cookies can even be added and modified through plug-ins. The security of all cookies is relatively poor. In comparison, session saves data on the server side, which is much more secure. It only needs a cookie to return a cookie ID, so session is more suitable for saving user privacy and important data.
Distributed session framework
In large Internet applications, it is not feasible to use cookies and sessions alone, because if cookies are used, the problem of distributed deployment of applications can be well solved. An application in a large Internet application system has hundreds of machines, and many different application systems work together. Because cookies store data in the user's browser, Every time a user visits, he will bring the data back to the server, which solves the problem of cookie inconsistency caused by the request of the same user being processed on different servers.
Because the application is a cluster, it is not possible to save all sessions in the memory of each server. If each server has hundreds of thousands of access users, the server memory will not be enough. Even if it is enough, the session can not be synchronized to other servers. Therefore, sharing these sessions needs to be saved in a special distributed cache, You can read and write at any time, and the performance should be good enough to meet the requirements. For example, Memcache / redis or Taobao's open source distributed framework TAIR are good choices.
Form duplicate submission problem
There are many problems of repeatedly submitting forms in the website. In order to prevent repeated submission of forms, it is necessary to identify each access request of the user, so that each access request is unique to the server. In order to identify each request of the user, you can add a hidden form item in the form field requested by the user, whose value is a unique token, such as:
When the user requests the form, a unique token is generated and set in the user's session. When the user submits, check whether the token is consistent with the token saved in the session. If it is consistent, it means that there is no repeated submission, and update the token in the session to a new token value; Otherwise, the token submitted by the user is not the legal token of the current request, and the submission fails.
reference resources:
1. In depth analysis of Java Web Technology
2. Redis is used to store the session of the nginx + Tomcat load balancing cluster