The session is saved in The server The cookies are saved on the client side.
Definition of both:
When you are browsing the website, the WEB server will first send a small amount of information on your computer Cookies will help you record the text or some choices you type on the website. When you visit the same website next time, the WEB server will first check whether there is any cookie data left by it last time. If there is, it will judge the user according to the content in the cookie and send you specific webpage content.
Cookies are widely used. Many websites that provide personalized services use cookies to identify users, so as to send customized content. For example, free email websites with Web interfaces use cookies. Specifically, the cookie mechanism adopts the scheme of keeping state on the client side, while the session mechanism adopts the scheme of keeping state on the server side. At the same time, we also see that the session mechanism may need to use the cookie mechanism to save the identity because the server side state keeping scheme also needs to save an identity on the client side. But in fact, it has other options.
Cookie mechanism. The orthodox cookie distribution is realized by extending the HTTP protocol. The server prompts by adding a line of special instructions in the HTTP response header browser Follow the instructions to generate the corresponding cookie.
However, pure client script For example, JavaScript or VBScript can also generate cookies. The use of cookies is automatically sent to the server by the browser in the background according to certain principles. The browser checks all stored cookies. If the declared scope of a cookie is greater than or equal to the location of the resource to be requested, the cookie is attached to the HTTP request header of the requested resource and sent to the server.
The contents of the cookie mainly include: name, value, expiration time, path and domain. The path and domain together constitute the scope of the cookie. If the expiration time is not set, it means that the lifetime of the cookie is during the browser session. Close the browser window and the cookie disappears. This kind of cookie whose lifetime is browser session is called session cookie. Session cookies are generally not stored on the hard disk but in memory. Of course, this behavior is not regulated. If the expiration time is set, the browser will save the cookies to the hard disk, close and then open the browser again. These cookies will remain valid until the expiration time is exceeded. Cookies stored on the hard disk can be shared between different browser processes, such as two IE windows. For cookies stored in memory, different browsers have different processing methods.
Session mechanism. The session mechanism is a server-side mechanism. The server uses a hash table like structure (or hash table) to store information.
When the program needs to create a session for a client's request, the server first checks whether the client's request contains a session ID (called session ID). If it does, it means that a session has been created for this client before, The server will retrieve this session for use according to the session id (if it cannot be retrieved, a new one will be created). If the client request does not contain a session id, it will create a session for this client and generate a session id associated with this session. The value of the session id should be a string that neither repeats nor is easy to find a rule to imitate, This session ID will be returned to the client for saving in this response. Cookies can be used to save the session ID, so that the browser can automatically send the ID to the server according to the rules during interaction. Generally, the name of this cookie is similar to SEEESIONID. However, if cookies can be manually prohibited, there must be other mechanisms to pass the session ID back to the server when cookies are prohibited. A frequently used technique is called URL rewriting, which appends the session ID directly to the URL path. Another technique is called form hidden fields. That is, the server will automatically modify the form and add a hidden field so that the session ID can be passed back to the server when the form is submitted. For example:
<form name="testform" action="/xxx">
<input type="hidden" name="jsessionid" value="ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBng!-145788764">
<input type="text">
</form>
In fact, this technology can be simply replaced by applying URL rewriting to actions.
Differences between cookies and sessions:
1. The cookie data is stored on the client's browser, and the session data is stored on the server.
2. Cookies are not very secure. Others can analyze the COOKIE stored locally and cheat the COOKIE (considering the security, session should be used)
3. The session will be saved on the server for a certain period of time. When the access increases, it will occupy the performance of your server (COOKIE should be used to reduce the server performance)
4. The limit of a single cookie on the client is 3K, which means that the COOKIE stored on the client by a site cannot be 3K.
5. So I suggest:
Store important information such as login information as SESSION
If other information needs to be retained, it can be placed in COOKIE
Cookie PK Session
1、 Session: meaning: a series of actions messages from beginning to end
1. Implied two meanings of "connection oriented" and "state maintained"
2. A solution for maintaining state between client and server
3. It also means that the storage structure of this solution " ×× Save in session "
2、 The http protocol is stateless originally, so the cookie and session mechanism are introduced to maintain the connection state
Differences and connections between cookies and session mechanisms:
Cookie mechanism adopts the method of keeping state on the client
The session mechanism adopts the scheme of maintaining the state on the server side. Because the client must provide an ID while maintaining the state on the server side,
3、 About cookie mechanism
The use of cookies is automatically sent to the server in the background by the browser according to certain principles. The browser will check all stored cookies. If the declared scope of a cookie is greater than or equal to the location of the resource to be requested, the cookie will be attached to the http request header of the request resource and sent to the server.
Cookies stored on the hard disk can be shared between different browser processes, such as two IE windows. Different browsers have different processing methods for cookies saved in memory. For IE, a window opened by pressing CTRL+N (from the File menu) on an open window can share cookies with the original window, while a new IE process opened by other methods cannot share memory cookies of an already opened window.
The contents of the cookie include: name, value, expiration time, path and domain
4、 About the session mechanism
When the program needs to create a session for a client's request, the server first checks whether the request contains a session ID. If yes, it means that a session was created for the client before, and the server retrieves the session according to the session ID. Generally, a cookie is named similar to the session ID, If cookies are forbidden (cookies can be artificially forbidden), the method of rewriting URLs is often used to append the session ID to the URL path. In order to maintain the status throughout the interaction process, the session ID must be included after the path that each client may request.
People think that "when the browser is closed, the session will be small" is actually wrong. Unless the program notifies the server to delete a session, the server will always keep it. The program usually sends a command to delete the session when the user logs off. The reason why people have this illusion is that most sessions use cookies to save the session, but the session disappears after the browser is closed. If the cookie set by the server is saved to the hard disk, or the http request header sent by the browser is rewritten by some means, and the original session ID is sent to the server, the browser will be opened again, In fact, the previous session ID can be found again. Therefore, setting the failure time can play a certain role in protection.
5、 Some questions about the session
1. When the session is created: It is not created when the client accesses, but when the server calls httpservletRequest. getSession (true).
2. When is the session deleted: A, the program calls httpSession. invalide(), B, the time interval from the last session id sent by the client exceeds the timeout setting C of the session, and the server process is stopped (non persistent session)
3. How to close the browser and close the session at the same time: Strictly speaking, it cannot be done. You can let all client pages use window.close to monitor the browser's closing, and then send a request to the server to delete the session. However, there is still nothing to do when the browser crashes or forcibly kills the process.
