www.zhihu.com/question/35… Review the use of cookies and sessions and tokens

What happens when we visit a website?

  • Enter url
  • The browser searches for the corresponding IP address based on the domain name (application-layer DSN domain name resolution system).
  • The browser sends an HPPT request to the server
  • Server-side processing
  • The server replies with the response
  • Browser rendering

Major differences between HTTPS and HTTP

  • HTTP is a hypertext transfer protocol, and information is transmitted in plain text. HTTPS is a secure SSL encryption transfer protocol. The main difference between HTTP and HTTPS is that HTTPS data requests are encrypted and SSL data requests are encrypted

  • HTTP and HTTPS use completely different connections and ports (80 and 443).

The cookie and session

  • The session is stored on the server, and the client does not know the information. Cookies are stored on the client, and the server knows the information.

  • Sessions hold objects, cookies hold strings.

  • HTTP is a stateless protocol. Once the data is exchanged, the connection between the client and server is closed and a new connection needs to be established to exchange data again. This means that the server cannot track the session from the connection. That is, user A buys an item and puts it in the shopping cart. When the server purchases the item again, it cannot determine whether the purchase belongs to user A’s session or user B’s session. To track the session, you must introduce a mechanism.

  • Sessions are another mechanism for recording a client’s state, except that cookies are stored in the client’s browser and sessions are stored on the server. When the client browser accesses the server, the server records the client information in some form on the server. So this is Session. The client browser only needs to look up the state of the client from the Session when it accesses the Session again.

  • 1. Cookies are not very secure. Others can analyze the cookies stored locally and cheat cookies. 2. Set the cookie time to make the cookie expire. But with session-deStory (), we will destroy the session. 3. The session is saved on the server for a certain period of time. In terms of reducing server performance, cookies should be used when more access is required. 4, a single cookie can not save more than 4K data, many browsers limit a site to save a maximum of 20 cookies. (The Session object has no restrictions on the amount of data that can be stored, and can hold more complex data types.)

Browser Security Policy

1. Same-origin policy: Client scripts in different domains cannot read or write resources of each other without authorization

2. Sandbox Frame

3.Flash safety sandbox

4.cookie

  • Sets the samesite value of the cookie
  • Strict Is the strictest. Third-party cookies are completely prohibited. For cross-site applications, cookies are not sent under any circumstances. In other words, only if the URL of the current page is consistent with the target of the request, will the Cookie be included;

Set-Cookie: CookieName=CookieValue; SameSite=Strict; This rule is too strict and can result in a very bad user experience. For example, if a user clicks on a GitHub link on a web page, the GitHub Cookie will not appear on the page.

  • Lax rules are slightly relaxed, and in most cases, third-party cookies are also not sent, except for Get requests that navigate to the target url.

Set-Cookie: CookieName=CookieValue; SameSite=Lax;

  • None is not set

Chrome 80.0 sets the default value for SameSite to Lax

5. Content security policy (set parameters in the response header to allow which domain source files to be executed