Cookie and Session Basic knowledge of

Http Access is not logged , So we need to use session and cookie To save access status

Definition ：

When you are browsing the website ,WEB The server will send a little information to your computer first ,Cookie It will help you type the text or some choices on the website , It's all recorded . Next time you visit the same website ,WEB The server will first see if there's anything it left last time Cookie Information , Some words , Will be based on Cookie To judge users , Send you specific web content . Cookie The use of , Many websites provide personalized services , It's all about using Cookie To identify the user , To facilitate the delivery of user-defined content , Like Web Free interface email Website , All need to be used. Cookie.
cookie The mechanism adopts the scheme of keeping state in the client , and session The mechanism is to keep the on the server side The scheme of state

cookie Mechanism ：

Orthodox cookie Distribution is through extension HTTP Agreement to achieve , The server passes through the HTTP A special instruction is added to the response header of to prompt the browser to generate the corresponding cookie. However, pure client-side scripts such as JavaScript perhaps VBScript It can also generate cookie. and cookie The use of the browser in accordance with certain principles in the background automatically sent to the server . The browser checks all stored cookie, If a cookie The declared scope of action is greater than or equal to the location of the resource to be requested , Then put the cookie Attached to the request for resources HTTP Send to server on request header .
cookie The main contents of this article include ： name , value , Expiration time , Paths and domains . Paths and domains together constitute cookie The scope of action of . If you don't set the expiration time , It means this cookie The lifetime of is during the browser session , Close the browser window ,cookie Just disappear . This life cycle is browser session cookie It's called conversation cookie. conversation cookie Generally, it is not stored on the hard disk, but in the memory , Of course, this kind of behavior is not regulated . If the expiration time is set , The browser will put cookie Save to hard disk , Close and open the browser again , these cookie Still valid until the expiration time is exceeded . Stored on the hard disk cookie Can be shared between different browser processes , For example, two. IE window . And for those in memory cookie, Different browsers have different ways of handling it .

session Mechanism ：

session Mechanism is a server-side mechanism , The server uses a hash table like structure （ It could be using hash tables ） To save information . When a program needs to create a session when , The server first checks whether the client's request contains a session identification （ be called session id）, If it is included, it means that it has been created for this client before session, The server follows session id Put this session Retrieve and use （ Could not retrieve , It will create a new one ）, If the client request does not contain session id, Then create a session And generate a session The associated session id,session id The value of should be one that will not repeat , It's not easy to find rules to fake strings , This session id Will be returned to the client in this response to save . Save this session id We can use cookie, In this way, the browser can automatically send the identity to the server according to the rules during the interaction . General cookie Their names are all similar to SEEESIONID. but cookie Can be artificially prohibited , There must be other mechanisms in order to cookie Still be able to put session id Back to the server . A technique that is often used is called URL rewrite , Is to put session id Attach directly to URL Behind the path .

difference ：

• cookie The data is stored in the client's browser ,session Data stored on the server .
• cookie Not very safe , Others can analyze the local cookie And carry on cookie cheating , Consider safety or choose to use session.
• session It will be saved on the server for a certain period of time , When visits increase , It takes up the performance of the server , Consider reducing the pressure on the performance of the server , Should be used cookie.
• Single cookie No more than 4K, Many browsers will limit a site to save at most 20 individual cookie.

session Life cycle of ：

Session Store on the server side , Generally in order to prevent in the memory of the server （ For high-speed access ）,Sessinon Create... The first time a user accesses the server , It should be noted that only access JSP、Servlet Wait for the program to create Session, Only visit HTML、IMAGE Wait for static resources to be created Session, Callable request.getSession(true) Force generation Session.

Session When will it fail ？

1. The server will be inactive for a long time Session Clear from server memory , here Session It's invalid .Tomcat in Session The default expiration time of is 20 minute .
2. call Session Of invalidate Method .

Session Requirements for browsers ：

although Session Save on the server , Transparent to clients , Its normal operation still needs the support of the client browser . This is because Session Need to use Cookie As an identification mark .HTTP Protocol is stateless ,Session Can't be based on HTTP Connect to determine if it is the same customer , So the server sends a name to the client browser JSESSIONID Of Cookie, It's worth it Session Of id（ That is to say HttpSession.getId() The return value of ）.Session According to this Cookie To identify the same user .
The Cookie Automatically generated for the server , its maxAge The attribute is generally -1, Indicates only valid in the current browser , And the browser windows are not shared , Closing the browser will fail . So when two browser windows of the same machine access the server , There will be two different Session. But by the link in the browser window 、 Scripts, etc. open new windows （ That is to say, it is not a window opened by double clicking the desktop browser icon ） With the exception of . This kind of child window will share the parent window Cookie, So we'll share one Session.
Be careful ： A new browser window will generate a new Session, Except for child windows . The child window will share the parent window Session. for example , Right click on the link , Choose... From the shortcut menu that pops up " Open... In a new window " when , The child window can then access the parent window's Session.
If the client browser will Cookie Function disabled , Or not Cookie What do I do ？ for example , Most mobile browsers don't support Cookie.Java Web Provides another solution ：URL Address rewrite .
URL Address rewriting is not supported for clients Cookie Solutions for .URL The principle of address rewriting is that the user Session Of id Rewrite the information to URL In the address . The server can parse the rewritten URL obtain Session Of id. So even if the client doesn't support Cookie, You can also use Session To record user status .HttpServletResponse Class provides encodeURL(String url) Realization URL Address rewrite , This method will automatically determine whether the client supports Cookie. If the client supports Cookie, Will URL To put out as is . If the client does not support Cookie, Then the user Session Of id Rewrite the URL in .
Be careful ：TOMCAT Determine whether the client browser supports Cookie Is based on whether the request contains Cookie. The pipe client may support Cookie, But since the first request does not carry any Cookie（ Because there is nothing Cookie Can carry ）,URL The address will be rewritten with jsessionid. When the second visit, the server has written in the browser Cookie 了 , therefore URL After address rewriting, there will be no jsessionid 了 .