preface

A few days ago, when I interviewed interns of combined information technology, I met the comparison between cookie and session in the written test. Today, I will make a comprehensive summary.

cookie

Cookies are web-related information that is stored locally after you visit some websites, with fewer steps to take the next time you visit them. Cookies generally include the following main contents:

  1. Key: indicates the key of the cookie.
  2. Value: value of the key.
  3. Max_age /expire_time: sets the cookie expiration time.
  4. Domain: specifies the domain name in which the cookie is valid. Typically, set a subdomain name, such as cms.example.com.
  5. Path: indicates the path in which the cookie is valid.

For example, when we log in to a website, we need to enter the user name and password. If the user name and password are saved as cookies, we do not need to enter the user password when we log in to the website next time.

session

Session is a hashtable-like structure used to store user data on an existing server. The first time the browser sends a request, the server automatically generates a HashTable and a SessionID to uniquely identify the HashTable and sends it to the browser in response. The second time the browser sends the request, the SessionID from the previous server response will be put in the request and sent to the server. The server extracts the SessionID from the request and compares it with all the saved Session ids to find the HashTable corresponding to the user.

For example, if you are browsing a shopping website and a user adds some items to their shopping cart, a long time ago many websites used a server session to store the contents of their shopping cart (now almost all use a database), so the session is used to store this information.

The difference between

1. Storage locations are different

Cookie data is stored locally. Session data is stored on the server.

2. The storage capacity varies

Cookie storage capacity is small, generally <=4KB. There is no limit to the size of the session storage capacity (although for server performance, it is generally not possible to store too much data).

3. The storage validity period is different

Cookies can be stored for a long time, as long as they do not exceed the set expiration time. Sessions expire after a certain amount of time (usually 30 minutes), but when the browser is closed to protect user information, the session.invalidate() method is automatically called, which clears the session information.

4. Different security

Cookies are stored on the client, so you can analyze cookies stored locally and spoofing them, which has low security. The session is stored on the server, avoiding the risk of sensitive information leakage and ensuring high security.

5. Different domains are supported

Cookies support cross-domain access. For example, all cookies from A.com work under A.com. Session does not support cross-domain access. For example, www.a.com session is not available under api.a.com.

6. Different pressures apply to the server

Cookies are stored on the client and do not occupy server resources. Sessions are stored on the server. Each user generates one session. Excessive sessions consume server resources, so large websites have dedicated session servers.

7. Different data types are stored

Cookies can only store ASCII characters and need to be encoded as Unicode characters or binary data. A session can store any type of data, including but not limited to String, INTEGER, list, map, and so on.