Today bring you a story called beast and students 😱For the story, see changing posture 😍 (Cookie, Session)
Cookies and sessions are often mentioned in HTTP
What is a Cookie?
Cookie: n. Small dessert
Cookies are a mechanism for clients to save user information and record some user information. How do you identify specific customers? Cookies do that. With each HTTP request, the client sends the corresponding Cookie information to the server. It can be set to expire at any time, and if you don’t take the initiative to remove it, you can keep it for a long time, even if you shut it down in the meantime.
Since it’s stored on the client side, in other words I can manipulate the information stored locally to cheat the server side on some of its policies, what do I do?
What is Session?
Session: n. Session
Session is a mechanism used by the server to identify a user when recording user status under the stateless HTTP protocol. It is a data structure that is kept on the server side to track the state of the user, and can be stored in a file, database, or cluster. The Session disappears when the browser is closed, and the next time you open it, you no longer have the Session. In fact, it is not that the Session has disappeared, but that the Session ID has changed. The server may still have your last Session ID and Session information, but they are in the ownerless state, and may be deleted after a period of time.
Cookies and sessions are both a form of Session. When you click the order button, the server does not know what the specific user is doing. In order to identify and track the user and how many items are in the cart, the server creates cookies/sessions for the user to obtain this information.
Currently, most applications use cookies to implement Session tracking. When a Session is created for the first time, the server sends a feedback message to the client through THE HTTP protocol and records a Session ID in the Cookie, so that the user can be identified with each subsequent request.
Someone asked, what if cookies are disabled on the client’s browser?
Block all cookies and click on the force site to see the effect
Block all cookies, click on the page directly cannot access
Session tracking is done using URL rewriting, where each HTTP interaction is followed by a parameter such as SID = XXXXX so that the server can identify the user.
Change posture ~
The communication between the client and the server can be simply understood as follows:
Call beast speaks well in a meeting, ask him some questions after the meeting, and he answers your questions. This is a conversation. But the beast was so popular that the staff collected the questions and gave each questioner a number plate. The beast gave corresponding answers according to the number plate and told the corresponding people. So that’s Session. Some time later, when you meet the beast again, he finds you have the answer of the last reply to you, and knows that you are the studious student. And you’re like, wow, the beast recognized me, and this is Cookie, your little dessert. The client is like a student in class, and the server is the beast.
For example, when you log in to a website once, you don’t want to enter your account again when you log in next time. What should you do? This information can be written into the Cookie. When visiting the website, the script of the website page can read this information and automatically fill in the user name, which is convenient for users to use and gives users a little sweetness.
Log in Taobao, click save account password, next time directly log in yourself.
conclusion
1. Cookie is on the client (browser) and Session is on the server.
2, Cookie security is general, others can be stored locally through the analysis of cookies and Cookie fraud. On the premise of security first, Session is preferred. Important interaction information, such as permissions, should be stored in the Session, and general information records should be stored in cookies.
3. The data saved by a single Cookie cannot exceed 4K. Many browsers limit the maximum number of cookies saved by a site to 20.
4. Sessions can be stored in files, databases, or memory, such as redis when using Node. Because it is stored on the server for a certain period of time, it takes a lot of performance away from the server as the number of accesses increases. Cookies should be used when appropriate to mitigate server performance.
The Session ID is stored in the Cookie. If the browser disables cookies, the Session will be invalid. (This can be done in other ways.) Such as passing the Session ID in the URL).
6. Session authentication is commonly used in this context. Therefore, the core of maintaining a Session is the unique identifier of the client, namely the Session ID.
Can Session cookies be tampered with? In theory, you can do this by changing the Session ID of the connection
Have not been surprised to 😁