Overview of the three similarities and differences

Similarities: Data stored in the browser. Differences: Cookies are sent to the server with the browser’s request and are automatically deleted when they expire. The Cookie is small, only 4KB. LocalStorage and sessionStorage belong to webstorages and are stored on the browser side. Their sizes are larger than those of cookies and are 8MB. LocalStorage is persistently stored in the browser, as long as the user does not take the initiative to delete, will always exist, sessionStorage exists in the current session, the browser closed the session, it will be deleted.

The difference between Cookie and Session

The Cookie mechanism

Cookies are small pieces of text that the server stores in the local client and sends to the same server for validation with each request. At first, the Web server sends cookies to the browser using HTTP headers. On the browser side, the browser parses the cookies and saves them to local files. The browser automatically attaches any requests from the server to the cookies.

Essentially, the Cookie mechanism is used to save user state on the client side. The use of Cookies requires browser support. Once Cookies are disabled, the browser loses its original function. Cookies are mainly used to compensate for the congenital defect of HTTP statelessness.

The specific process

  • Generation process: The Web server instructs the browser to generate cookies by putting a special prompt in the HTTP response header.
  • Usage process: The use of cookies is automatically sent to the server in the background by the browser according to certain rules. The browser checks all the cookies it stores, and if the scope of a cookie declaration is greater than or equal to the location of the requested resource, it sends the cookie to the server on the HTTP request header for the requested resource.
  • Cookie content: mainly includes name, value, expiration time, path and domain. The name represents different cookies, and the expiration time indicates the life cycle of a cookie. If this content is not declared, it means that the cookie is only valid during the session, so it is called session cookie. Such cookies are generally stored in memory rather than on disk. When an expiration time is set, cookies are stored on the local disk and remain valid for a specified period of time when the browser is closed. Valid cookies can be shared between multiple browser processes. The path and domain form the scope of the cookie.

The Session mechanism

The Session mechanism is essentially a scheme to maintain state on the server side, which stores data using a hash table-like structure. Although the state is saved on the server, the local client also needs a save flag, so the session mechanism may need to use the cookie mechanism to save the flag. Session is for each user, the value of the variable is stored in the server side, with the sessionID to distinguish between different users of the Session variable, this variable value is the user when accessing the server to send to the browser. When cookies are disabled, you can use GET to send this information to the server.

The specific process

When a client requests a session, the server first checks whether the client HTTP request header contains the session identifier, which is the aforementioned sessionID. If the ID is found, the server directly retrieves the session corresponding to the ID and returns it to the client without creating a new session. If the request header does not contain a sessionID, you need to create a session and generate a unique sessionID to return to the client. The client saves the session locally.

Summary of differences between the two

Cookie and Session can be used for Session tracing, but the principles and characteristics are different. It is summarized as follows:

  • Different storage methods Cookies can only store ASCII strings. If you want to store Unicode or binary data, you need to encode them. Sessions can store various types of data.
  • Different privacy policies Cookies are stored on the client and are visible to the client. Some programs on the client may snoop, copy, or modify the information in the Cookie. Session is stored in the server and does not have the problem of sensitive information leakage. If cookies are used, it is best to encrypt them using an encryption algorithm.
  • Different validity periods facilitate the next login, using cookies is very convenient. Session cannot hold state for a long time.
  • Different server pressure Sessions are stored on the server. If there is a large number of concurrent visits, a large number of sessions will be generated, bringing great pressure to the server and consuming a large amount of memory. Therefore, large websites are unlikely to use sessions
  • Browsers that support different cookies require browser support. If the browser supports cookies, cookies can be valid in the browser window, in child Windows, and in all browsing Windows. Sessions are valid only for this window and its children; other browser Windows will have new sessions.
  • Cross-domain Different cookies Cross-domain access is supported. Session is not supported and only the current domain name is valid.