What is session? What is a cookie? What is the difference between session and cookie? What scenarios apply to sessions? What scenarios apply to cookies?

2019-01-10 • Java

This is the back-end small class of the monastery. Each article is shared from

[background introduction] [knowledge analysis] [common problems] [solutions] [coding practice] [extended thinking] [more discussion] [References]

Eight aspects of in-depth analysis of back-end knowledge / skills. This article shares:

[what is a session? What is a cookie? What is the difference between a session and a cookie? What scenario applies to a session? What scenario applies to a cookie?]

[java small class of monasteries] what is session? What is cookie? What is the difference between session and cookie? What scenario is applicable to session? What scenario is applicable to cookie?

Hello, I'm Zhao Linai, a student of the fourth phase of Xi'an Branch of it Academy. I'm an honest, pure and kind java programmer. Today, I'd like to share with you the knowledge points in deep thinking - session and cookie, Java task 5 on the official website of the Academy

(1) Background:

Statelessness of HTTP

HTTP is a stateless protocol without saving state.

The HTTP protocol itself does not save the communication state between request and response. That is, at the HTTP level, the protocol does not persist the sent request or response. Using HTTP protocol, whenever a new request is sent, a corresponding new response will be generated. The protocol itself does not retain the information of all previous request or response messages.

This is to process a large number of transactions faster and ensure the scalability of the protocol. The HTTP protocol is designed to be so simple.

With the continuous development of the web, there are more and more cases that business processing becomes difficult due to statelessness. For example, when a user logs in to a shopping website, he needs to be able to continue to log in even after he jumps to other pages of the station. For this example, in order to know who sent the request, the website needs to save the user's status.

Although http / 1.1 is a stateless protocol, cookie technology is introduced in order to achieve the desired state keeping function. With cookies and HTTP protocol communication, you can manage the state.

(2) Knowledge analysis:

What is session

Session represents a session between the server and the browser. This process is continuous or intermittent.

Session is a server-side mechanism. The session object is used to store the information required by a specific user session.

The session is generated by the server and saved in the memory, cache, hard disk or database of the server.

For tomcat, session is a memory space opened up in the server, and its storage structure is

How session works

When a user accesses a server, if the server enables session, the server will create a session for the user

When creating the session, the server first checks whether the request sent by the user contains a session ID,

If a session ID is included, it means that the user has logged in and created a session for this user before,

The server will find the session in the memory of the server according to the session ID (if it cannot be found, it may create a new session for it),

If the client request does not contain a session ID, create a session for the client and generate a session ID related to the session.

This session ID is a unique, non repetitive and regular string that is not easy to find. This session ID will be returned to the client for saving in this response,

The session ID is saved by cookie, so that the browser can automatically send the ID to the server according to the rules during the interaction.

What is a cookie?

Because HTTP is a stateless protocol, the server cannot know the identity of the client from the network connection alone. What shall I do? Just issue a pass to the clients, one for each person. No matter who visits, they must carry their own pass. In this way, the server can confirm the customer's identity from the pass. This is how cookies work.

A cookie is actually a short piece of text information. The client requests the server. If the server needs to record the user status, it uses response to issue a cookie to the client browser. The client browser saves the cookie. When the browser requests the website again, the browser submits the requested URL to the server together with the cookie. The server checks the cookie to identify the user status. The server can also modify the contents of the cookie as needed.

(3) Frequently asked questions:

How to generate sessionid? By whom? Where is it kept?

(4) Solution:

The anti sessionid is the key of a session. When the browser accesses the server for the first time, it will generate a session on the server side, with a sessionid corresponding to it.

The session ID generated by Tomcat is called jssessionid.

It is stored in the memory of the server. The standard manager class of Tomcat stores the session in memory, and can also be persisted to file, database, Memcache, redis, etc. The client only saves the sessionid to the cookie, not the session. The session can only be destroyed through invalidate or timeout. Closing the browser does not close the session.

(5) Coding practice:

Try to find what is used in real projects. If you can find a website using your knowledge, this is the best. Apply what you have learned, otherwise it will be meaningless to take it as an exercise. Prepare more demos and combine the knowledge points with the demo during the explanation to facilitate everyone to understand the knowledge points explained.

(6) Expand thinking:

What is the difference between session and cookie?

Both cookie and session can perform session tracking, but the completion principle is different. Under normal circumstances, both can meet the requirements, but sometimes cookies and session cannot be used. The following describes the characteristics and applicable places of the two through comparison:

1. Different access modes

Cookies can only store ASCII strings. If you need to access Unicode characters or binary data, you need to encode it first. Java objects cannot be accessed directly in cookies. To store slightly complex information, using cookies is difficult

Session can access any type of data, including but not limited to string, integer, list, map, etc. Session can also directly store JavaBeans and even any Java classes and objects, which is very easy to use. You can think of session as a Java container class.

2. Different privacy policies

Cookies are stored in the client reader and are visible to the client. Some programs on the client may snoop, copy and even modify the contents of cookies. The session is stored on the server and is transparent to the client. There is no risk of sensitive information disclosure.

If you choose cookies, a better way is to try not to write sensitive information such as account and password into cookies. It is best to encrypt the cookie information like Google and Baidu, submit it to the server and then decrypt it to ensure that the information in the cookie can be read and understood by myself. If you choose session, it will be much easier. Anyway, it is placed on the server, and any privacy in the session can be effectively protected.

3. Differences in validity

People who have used Google know that if they have logged in to Google, Google's login information is valid for a long time. Users don't have to log in again every time they visit. Google will permanently record the user's login information. To achieve this effect, using cookies will be a better choice. You only need to set the expiration time property of the cookie to a large number.

Because the session depends on a cookie named jsessionid, and the expiration time of the cookie jsessionid is implicitly - 1, the session will become invalid as long as the reader is closed. Therefore, the session cannot achieve the effect of eternal information. Using URL address rewriting can not be completed. Moreover, if the timeout time of setting session is too long, the server will accumulate more sessions, which is more likely to lead to memory overflow.

4. Different server pressures

Session is kept on the server side, and each user will generate a session. If there are many concurrent users, many sessions will be generated and a lot of memory will be consumed. Therefore, websites with high concurrent visits such as Google, Baidu and Sina are unlikely to use session to track customer sessions. Cookies are kept on the client side and do not occupy server resources. If there are many concurrent users, cookies are a good choice. For Google, Baidu and Sina, cookies may be the only choice.

(7) References:

(8) More discussion:

Q1: rubrian: 1. How does the server determine that the request sent by the client belongs to the same session?

It is distinguished by session ID. if the session ID is the same, it is considered to be the same session. In tomcat, the session ID is represented by jsessionid;

Q2: Liu you: 2. How can the server and client obtain the session ID? How are session IDs transferred between them?

A2: Zhao Linai: when the server receives the request for the first time, it opens up a session space (creates a session object), generates a session ID, and sends a response to the client to set the cookie through the set Cookie: "jsessionid = XXXXXXX" command in the response header;

After receiving the response, the client sets a cookie with jsessionid = XXXXXXX on the local client, and the expiration time of the cookie is the end of the browser session;

Next, every time the client sends a request to the same website, the cookie information (including session ID) will be carried in the request header;

Then, the server reads the cookie information in the request header, obtains the value named jsessionid, and obtains the session ID of the request;

PS: the server will only add the set cookie "jsessionid = XXXXXXX" information on the response header when the client requests a response for the first time. Next, the set cookie "jsessionid = XXXXXXX" information will not be added in the second and third response header of the same session;

The client will bring jsessionid information in the cookie of each request header;

Q3: Qin Yonghui: 3. Session generated by session_ The ID is placed in the cookie. If the user disables the cookie, can the session be used?

A3: Zhao Linai: of course, session can be used after cookies are prohibited, but the sessionid can be obtained by other methods. For example, it can follow the URL or submit it to the server in the form. This enables the server to understand the status of the client.

(9) Thanks:

Thanks to elder martial brother Liu you. This tutorial is based on their previous technology sharing.

(10) Conclusion:

That's all for today's sharing. You are welcome to like, forward, leave messages and make bricks~

Ppt link video link

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.