Cookies, sessions, and tokens are all used for persistence to let clients and servers know each other. HTTP requests are by default nonpersistent, stateless, and unknowable.

1, Cookie,

A Cookie is a very specific thing. It refers to a kind of data that can be stored permanently in the browser. It’s just a data storage function implemented by the browser.

The Cookie is generated by the server and sent to the browser through the set-cookie field in the response header. The browser saves the Cookie in the form of a key value in a text file in a directory, and sends the Cookie to the server when it requests the same website next time. Since cookies are stored on the client, browsers put in some restrictions to ensure that cookies can’t be used maliciously and don’t take up too much disk space, so the number of cookies per field is limited.

2, the Session

A Session is literally a Session. The server needs to know who is currently sending the request to it. To do this, the server assigns a different “id” to each client, and then each time the client sends a request to the server, it carries this id so that the server knows who the request is coming from. As for how the client saves this “identity”, there are many ways. For browser clients, the default is Cookie.

The server uses a Session to temporarily store user information on the server, which is destroyed when the user leaves the site. This method of storing user information is more secure than cookies, but sessions have a drawback: if the Web server is load-balanced, the Session will be lost when the next operation request reaches another server.

3, Token

Token means “Token” and is a way to verify a user’s identity, similar to a Cookie, which is relatively secure.

For example, when you authorize a program, he is the basis to determine whether you have authorized the software. Cookie is written in a TXT file on the client, which includes your login information and so on, so that the next time you log in a website, it will automatically call the Cookie automatic login user name; The Session is similar to a Cookie, except that the Session is a file written on the server side, and you need to write a Cookie file on the client side, but the file contains your browser number. The Session status is stored on the server, and the client has only the Session ID. The Token state is stored on the client.

The simplest tokens consist of: UID (the unique identity of the user), time (the timestamp of the current time), and sign (the signature, which is a hexadecimal string compressed by hashing the first few digits of the Token plus salt to prevent malicious third parties from concatenating Token requests to the server). You can also put unchanging parameters into tokens to avoid multiple library checks.

Token features:

  • 1. Stateless and extensible;

  • 2. Support mobile devices;

  • 3. Cross-program call;

  • 4. Safety.

General process:

  • 1. The client applies for a Token from the server.

  • 2. When the server receives the request, it verifies the user’s information and issues a Token to the client. The server itself also saves the Token.

  • 3. The client will save the Token issued by the server after receiving it, and bring the Token with each request.

  • 4. When the server receives other requests, it will verify the Token of the client. If the request succeeds, it will return the data.

AllTests software tests

Share software testing, automated testing, performance testing, test development and other technical articles and resources, welcome to pay attention to!