Analysis of cookies and sessions
This is the back-end small class of the monastery. Each article is shared from
[background introduction] [knowledge analysis] [common problems] [solutions] [coding practice] [extended thinking] [more discussion] [References]
Eight aspects of in-depth analysis of back-end knowledge / skills. This article shares:
[analysis of cookies and sessions]
Today, I'd like to share with you the knowledge points in deep thinking - cookies and sessions in Java task 5 on the official website of the Xiuzhen Academy
1. Background introduction
Session tracking is a technology commonly used in Web programs to track a user's entire session. The commonly used session tracking technologies are cookie and session. Cookie determines the user's identity by recording information on the client, and session determines the user's identity by recording information on the server.
Session tracking is very important in programs. Theoretically, all request operations of one user should belong to the same session, while all request operations of another user should belong to another session. The two cannot be confused. For example, any commodity purchased by user a in the supermarket should be placed in the shopping cart of user A. no matter when user a purchases it, it belongs to the same session and cannot be placed in the shopping cart of user B or user C. It does not belong to the same session.
Web applications use the HTTP protocol to transfer data. HTTP protocol is a stateless protocol. Once the data exchange is completed, the connection between the client and the server will be closed. A new connection needs to be established to exchange data again. This means that the server cannot track sessions from the connection. That is, user a purchases a commodity and puts it into the shopping cart. When purchasing the commodity again, the server can no longer judge whether the purchase behavior belongs to the session of user a or the session of user B. To track this session, a mechanism must be introduced
2. Knowledge analysis
What are cookies
A cookie is actually a short piece of text information. The client requests the server. If the server needs to record the user status, it uses response to issue a cookie to the client browser. The client browser saves the cookie. When the browser requests the website again, the browser submits the requested URL to the server together with the cookie. The server checks the cookie to identify the user status. The server can also modify the contents of the cookie as needed.
Cookie mechanism
Cookie mechanism is essentially an extension of HTTP protocol. There are two HTTP headers dedicated to setting and sending cookies: set cookie and cookie. When the server returns an HTTP response message to the client, if the header set cookie is included, it means to instruct the client to establish a cookie and automatically send the cookie to the server in subsequent HTTP requests until the cookie expires.
If the cookie mechanism determines the customer's identity by checking the "pass" on the customer, the session mechanism confirms the customer's identity by checking the "customer details" on the server. Session is equivalent to a customer file created by the program on the server. When a customer visits, he only needs to query the customer file table.
What is session
When the client browser accesses the server, the server records the client information on the server in some form. This is session. When the client browser accesses again, it only needs to find the status of the customer from the session.
How does session identify users?
The HTTP protocol is stateless, and the session cannot judge whether it is the same client based on the HTTP connection. Therefore, the server sends a cookie named jsessionid to the client browser, and its value is the ID of the session (that is, the return value of httpsession. Getid()). Session identifies whether it is the same user according to the cookie.
3. Frequently asked questions
Connection between cookie and session
The difference between cookie and session
Cookie and session scenarios
4. Solutions
(1) Although the cookie and session schemes belong to the client and the server respectively, the implementation of the session on the server depends on the cookie on the client. I mentioned above that the ID value of the session will be generated when the server executes the session mechanism, and this ID value will be sent to the client. The client will put this ID value in the head of the HTTP request and send it to the server every request, The ID value will be saved on the client, and the saved container is a cookie. Therefore, when we completely disable the browser's cookie, the server session will not work normally
(2) The cookie data is stored on the client's browser, and the session data is placed on the server; Cookies are not very secure. Others can analyze the cookies stored locally and cheat them. In consideration of security, session should be used; The session will be saved on the server for a certain period of time. When access increases, it will occupy the performance of your server. Considering the reduction of server performance, cookie should be used; The limit of a single cookie on the client is 3k, that is, the cookie stored by a site on the client cannot exceed 3K;
(3) In terms of the functions that can be realized, cookies and sessions are similar, but cookies can be forged. Sessions are stored on the server and will not be illegally modified unless hacked. Therefore, generally speaking, the authentication data is placed on the session, and the sessionid is stored on the cookie. However, using encryption technology, some people put the authentication data in the cookie to encrypt and verify the cookie.
The most typical applications of cookies are:
(1) : judge whether the user has logged in to the website so that he can log in directly the next time he logs in. If we delete the cookie, the login related information must be filled in again each time he logs in.
(2) : another important application is the processing and design of classes in the "shopping cart". Users may choose different products on different pages of the same website over a period of time. They can write these information into the cookie and extract these information from the cookie when making the final payment. Of course, there are security and performance issues that need to be considered.
5. Coding practice
Analysis of cookies and sessions_ Tencent video
6. Expand thinking
If the browser disables cookies, how do I identify the user?
Pass sessionid through URL
The principle of URL address rewriting is to rewrite the ID information of the user session into the URL address. The server can parse the rewritten URL to obtain the session ID. In this way, session can be used to record user status even if the client does not support cookies. The httpservletresponse class provides encodeurl (stringurl) to implement URL address rewriting
Hidden Form Field
Before being passed back to the client, add a hidden field in the form and set jseesionid
7. References
Reference 1:
Reference 2:
Reference 3:
8. More discussion
That's all for today's sharing. You are welcome to like, forward, leave messages and make bricks~
Skill tree It Academy
"We believe that everyone can become an engineer. From now on, find a senior brother to introduce you, control your learning rhythm, and stop being confused on the way to learning.".
Here is the skill tree In it academy, thousands of senior brothers have found their own learning route here. Learning is transparent and growth is visible. Senior brothers have 1-to-1 free guidance. Come and study with me~
Author: Jiang Xinyi
Link:
Source: Jianshu
The copyright belongs to the author. For commercial reprint, please contact the author for authorization, and for non-commercial reprint, please indicate the source.
Author: Shenxia link: https://www.jianshu.com/p/daecdbf2d06d Source: the copyright of Jianshu Jianshu belongs to the author. Please contact the author for authorization and indicate the source for any form of reprint.
For more information, you can join the IT communication group 565734203 to discuss and communicate with you
Here is the skill tree · it Academy: a gathering place for beginners to switch to the Internet