The distinction and understanding of Session and Cookie
Let’s talk about session first
The debate on SESSION seems to have never stopped, but the number of people who can understand SESSION should account for more than 90%. But let’s talk about it, don’t be too old~
Some people agree with using SESSION, and some people don’t agree. But how to answer this question? You might as well listen to my opinion. If you make a mistake, please don't throw anything at it, except gold bars and coins.
Some people should know that I am a programmer, and the most important thing in programmership is efficiency, but I won’t talk about design here, but look at SESSION from a more practical perspective.
First of all, let’s talk about what SESSION does. SESSION is a user information storage mechanism that can store targeted user information for a certain user’s IE and any windows opened through its current window. Why do you say this. Let’s first study how SESSION is started. When you open IE and browse the website, a command will be issued to request SESSIONID and download permission for various types of data, such as pictures, sounds and FLASH.
Actual data transmission content: IE to server
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language0: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: www. jh521.com
Connection: Keep-Alive
The server will return an unused SESSIONID for IE to use. At that time, IE will store the returned SESSIONID
and return the download data of the relevant pages at the same time, as follows: Server To IE
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 30 Nov 2003 16:41:51 GMT
Content-Length: 21174..Content-Type: text/html
Set-Cookie: ASPSESSIONIDCACBBBRT=IBOMFONAOJFEEBHBPIENJFFC; path=/
Cache-control: private
Then there is the page HTML code. At this time, the SESSIONID of this IE program (not the client) is IBOMFONAOJFEEBHBPIENJFFC. When IE accesses any ASP program on this site, it will send IBOMFONAOJFEEBHBPIENJFFC to the server. The server will know that IBOMFONAOJFEEBHBPIENJFFC means you. Setting SESSION("name")="name" on the server can be regarded as SESSION( "IBOMFONAOJFEEBHBPIENJFFC")("name")="name"
or
SESSION(SESSIONID)("name")="name"
In this way, SESSION distinguishes users.
When the server feedbacks this ID, it will check whether this ID has been used. If you change it,
won’t let you repeat it anyway. If you want to simulate someone’s SESSION ID for deception, it’s okay. However, it can only be implemented after obtaining the other party's IE transmission signal and ensuring that the SESSIONID has not been canceled at that time.
But if I have the time, I can find his NAME and PASS directly through the POST signal. I don't need to bother. I think some people understand how SESSIONID works, so let's take a look at COOKIE. Some people say that SESSIONID is COOKIE. Technically speaking, they are not of the same type, but they belong to the same working mode. Users and The server transmits private data. When I set COOKIE, the server will feedback a command to IE. IE generates COOKIE through this network command and stores it. It will obtain this information at specific times, such as when accessing this site and the COOKID is valid.
So why use COOKIE instead of SESSION?
Look at the difference
Valid time and storage method Transmission content
COOKIE can be set and retained locally Clear information
SESSION does not close IE and server No timeout, only SESSIONID
You can only use COOKIE when you want the user to log in to the website next time without entering a user name or password,
because it can be retained for a long time (when the COOKIE record is deleted or invalidated before the date)
But SESSION cannot, it will not be retained for too long, and IE will automatically clear the SESSIONID record after closing
It will request a new SESSIONID the next time you log in
And the server wants to When verifying the user's status through user personal variables, COOKIE cannot be used
If the user permission is set to USER. When IE accesses, it transmits USER's clear code to the server.
Then if I use certain means, such as directly modifying the COOKIE record and changing USER to ADMIN~~
It will be troublesome.
But to store information such as username and password or website color scheme, it is best to use COOKIE
Okay, I am a little tired, let’s talk about this thing
Request.ServerVariables("HTTP_REFERER")
I think some people use this Request.ServerVariables("HTTP_REFERER")
to implement some key restrictions, especially to deal with remote submission and illegal intrusion.
Then I would like to remind you that the HTTP_REFERER information obtained by the server is completely transmitted to the server by IE, which can be simulated
and it is not difficult. It takes less than half an hour to use VB to create an intrusion program for HTTP_REFERER.
(Unfortunately, I originally thought that he didn’t do anything serious, but came to do WEB game hang-up programs)
Attached is a nice reply:
--------------- -------------------------------------------------- -------------------------------------
COOKIE is a local file and is the 40 thieves in Ali A mark made by Baba’s house,
or a box the milkman nailed to your door.
SESSION is server-side memory, which is the key given to you by the bathtub when you take a bath.
For your own use, you can open many of your own boxes.
APPLICATION is a public bath.
You can see everyone here, including ppmm:).
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
