Cookies and sessions

Cookie

HTTP Protocol is stateless , It's mainly to make HTTP The agreement is as simple as possible , Enables it to handle a large number of transactions .HTTP/1.1 introduce Cookie To save status information .
Cookie Is a small piece of data that the server sends to the user's browser and stores locally , It will be carried when the request is sent to the same server again after the browser , Used to tell the server whether two requests are from the same browser . Because every request will need to carry Cookie data , Therefore, there will be additional performance overhead （ Especially in the mobile environment ）.
Cookie It was once used to store client data , Because there was no other suitable storage method at that time, it was the only storage means , But now, as modern browsers begin to support a variety of storage methods ,Cookie Gradually eliminated . New browser API Developers have been allowed to store data directly locally , If you use Web storage API（ Local storage and session storage ） or IndexedDB.

1. purpose
   Session state management （ Such as user login status 、 The shopping cart 、 Game score or other information to be recorded ）
   Personalization （ Such as user-defined settings 、 Theme, etc ）
   Browser behavior tracking （ Such as tracking and analyzing user behavior ）

Session

In addition, user information can be passed through Cookie Stored in the user browser , You can also use Session Store on the server side , Information stored on the server side More secure .
Session Files that can be stored on the server 、 Database or memory . Can also be Session Stored in Redis In this memory database , More efficient .
Use Session The process of maintaining user login status is as follows ：
When the user logs in , The user submits a form with a user name and password , Put in HTTP In the request message ;
The server verifies the username and password , If it is correct, store the user information in Redis in , It's in Redis Medium Key be called Session ID;
Of the response message returned by the server Set-Cookie The first field contains this Session ID, After receiving the response message, the client will Cookie Value stored in browser ;
This will be included when the client later requests the same server Cookie value , After the server receives it, it extracts Session ID, from Redis To retrieve user information , Continue with previous business operations .
It should be noted Session ID Security issues , It cannot be easily obtained by malicious attackers , Then you can't produce an easy to guess SessionID value . Besides , It also needs to be regenerated frequently Session ID. In a scenario with high security requirements , For example, transfer and other operations , Besides using Session Manage user status , You also need to re authenticate the user , For example, re-enter the password , Or use SMS verification code .

Browser disable Cookie

Cannot use at this time Cookie To save user information , Only use Session. besides , Can no longer Session ID Store in Cookie in , But use URL Rewriting Technology , take Session ID As URL The parameters are passed .

Cookie And Session choice

Cookie Can only store ASCII Code string , and Session You can store any type of data , Therefore, it is preferred when considering data complexity Session;
Cookie Store in browser , Vulnerable to malicious viewing . If you have to store some privacy data Cookie in , Can be Cookie Value encryption , Then decrypt it on the server ;
For large websites , If all the user's information is stored in Session in , So the cost is very high , Therefore, it is not recommended to store all user information in Session in .