A brief description of the difference between cookies and session
cookie and session are used to track the user identity of the browser. The difference between
cookie and session is that cookie data is stored on the client side, and session data is stored on the server side. In a simple way, when you log on to a website, if the web server uses session, then all the data is stored on the server, and the client sends the sessionid of the current session every time the client requests the server, and the server determines the user's data mark based on the current sessionid to determine the user. Whether to log in or have certain permissions. Because the data is stored on the server, you can't forge, but if you can get a sessionid of a login user, it will be successful to forge the user's request with a special browser. Sessionid is a random assignment when the server and the client link, in general, there is no repetition, but if there are a lot of concurrent requests, and not the possibility of no repetition, I have met once. Login to a website, start to display their own information, and so on for a period of time, and refresh, it shows other people's information.
if the browser uses cookie, then all the data is stored in the browser end, for example, after you log in, the server set the cookie username (username), then when you request the server again, the browser sends the username to the server, which has a certain special standard. Remember. The server will be interpreted as a cookie variable. So as long as the browser is not turned off, the cookie variable is always valid, so it can ensure long time not dropping. If you can intercept a user's cookie variable and forge a packet sent to the past, the server still thinks you are legal. Therefore, the possibility of using cookie is more likely to be attacked. If the valid time is set, it will save the cookie on the client's hard disk, and the next time the site is revisited, the browser first checks if there is a cookie, if any, read the cookie and send it to the server. If you have saved a forum cookie on the machine, it is valid for a year, if someone invades your machine, copies your cookie away, and then put it under his browser's directory, and then log on to the site with your identity. So cookie can be forged. Of course, the idea of forgery, direct copy cookie files to the cookie directory, the browser is not recognized, he has a index.dat file, stored the cookie file to build time, and whether there is a modification, so you have to have the site's cookie files, and from the time to cheat browsers, once from the browser, once in the guarantee, once deceived browsers, once After doing experiments on the VBB forum of the school, copy's cookie login and fraudulent use of other people's name posts, there is no problem at all.
a more effective way to define a browser, which we call a hacker browser, for example, that we can remake Firefox browsers ourselves, customize sessionid, and customize cookie values, so you can do whatever you want. Network security will also face severe challenges.
--------------------------------------------------------------------------------
two can be used to store private things, and there is also a valid term.
the difference is. The
session is placed on the server, and the expiration depends on the setting of the service period, the cookie is the client, and the past can be set in when the cookie is generated.
1, cookie data are stored on the client's browser.
session data is placed on the server
2, cookie is not very secure. Others can analyze the COOKIE of the local COOKIE and carry out COOKIE spoofing
considering security should be used and the server is guaranteed to exist for a certain time. When access is increased, it will take up the performance of your server
with regard to reducing server performance, you should use COOKIE
4, a single cookie in the client's limit is 3K, that is, a site's COOKIE can not be stored on the client side of the 3K.
5, 300 limits I have not heard of
6, so personal suggestion:
to store information such as login information as SESSION
other information if need to be kept, can be placed in COOKIE
answer human supplementary 2009-05-07 08:23
specifically the mechanism uses the client retention State scheme, and the session mechanism adopts the scheme of maintaining state on the server side. At the same time, we also see that because the server - side retention scheme needs to save an identity on the client side, the session mechanism may need to use the cookie mechanism to achieve the purpose of saving the identity, but in fact it has other options.
cookie mechanism. The orthodox cookie distribution is implemented by extending the HTTP protocol, and the server adds a special line of instructions to the response header of the HTTP to prompt the browser to generate the corresponding cookie according to the instructions. However, pure client script, such as JavaScript or VBScript, can also generate cookie. The use of cookie is automatically sent to the server by the browser in accordance with certain principles in the background. The browser checks all stored cookie, and if the scope of action declared by a cookie is greater than the location of the resource to be requested, the cookie is attached to the HTTP request header of the request resource to the server. The contents of
cookie include: name, value, expiration time, path and domain. The path and the domain together constitute the scope of the cookie. If no expiration date is set, it means that the lifetime of this cookie is closed during the browser session, and the cookie will disappear when the browser window is closed. This cookie, which is the lifetime of browser session, is called session cookie. Session cookie is usually not stored on hard disk, but stored in memory. Of course, such behavior is not regulated. If the expiration time is set, the browser will save the cookie to the hard disk and turn on the browser again after closing, and the cookie is still valid until it exceeds the set expiration time. Cookie stored on the hard disk can be shared among different browser processes, such as two IE windows. For cookie stored in memory, different browsers have different
session mechanisms. The session mechanism is a server-side mechanism. The server uses a structure similar to the hash table (or possibly using a hash table) to store information.
answer human supplement 2009-05-07 08:23
when a program needs to create a session for a client's request, the server first checks if the client's request contains a session identity (called session ID), and if it has been included, the client has already created a s for this client. Ession, the server retrieves the session in accordance with the session ID (not retrieved, will create a new one), if the client request does not contain session ID, then the client creates a session and generates a session ID associated with the session, and the value of session ID should be neither repeated nor repeated. It is not easy to find the string copied by the rule. This session ID will be returned to the client in this response.
the way to save this session ID can be cookie, so that in an interactive process, the browser can automatically bring the identity to the server in accordance with the rules. Generally, the name of the cookie is similar to that of SEEESIONID. However, cookie can be artificially prohibited, and there must be other mechanisms to transmit session ID back to the server when cookie is prohibited. A technology commonly used by
is called URL rewriting, which means that session ID is directly attached to the back of the URL path. Another technique is called the form hidden field. That is, the server automatically modifies the form and adds a hidden field so that the session ID can be passed back to the server when the form is submitted. Such as:
[code].lt; form name=.quot; testform.quot; action=.quot; /xxx.quot;.Gt;
.lt; input type=.quot. />[/code]