Web Security (VI) the use of session and the difference between session and cookie

Session It's a conversation , It is a data structure used to record user information on the server .

Session Use

1、 obtain Session object

	HttpSession s = request.getSession(boolean flag);

notes ：HttpSession It's an interface .

When flag by true when , According to the SessionId Find corresponding Session object , If it does not exist, return to new Session object .

When flag by false when , Also according to the request SessionId Find corresponding Session object , Returns if it does not exist null.

2、 Common methods

Data binding ：

    session.setAttribute(String name,Object obj);

Get the binding value according to the binding name ：

    Object session.getAttribute(String name);

Unbind :

    session.removeAttribute(String name);

3、Session Automatic destruction of

• Tomcat Server default Session The timeout is 30 minute

• You can use web.xml Set the timeout in minutes , Set to 0 Indicates not to destroy .

<session-config> <session-timeout>20</session-timeout> </session-config>

Session And Cookie The difference between

solve HTTP The stateless ways of the agreement itself are cookie and session. Both can record the status , The former is to save the state data on the client , The latter is saved on the server .

Session How it works

session The basic principle of is that the server is for each session Maintain a copy of session information data , The client and server rely on a globally unique identity to access the session information data . User access web When applied , The server program decides when to create session, establish session It can be summed up in three steps ：

1、 Generate globally unique identifier （sessionid）;

2、 Open up data storage space . Generally, the corresponding data structure will be created in memory , But in this case , Once the system is powered down , All session data will be lost , If it's an e-commerce website , This kind of accident will have serious consequences . But it can also be written to a file or even stored in a database , Although this will increase I/O expenses , but session Some degree of persistence can be achieved , And it's better session The share of ;

3、 take session Send the globally unique identifier of to the client .

Cookie How it works

No matter what server-side technology is used , Just send back HTTP The response contains a header in the form of , It is considered that the server requires a cookie：

Set-cookie:name=name;expires=date;path=path;domain=domain

Support cookie All browsers will respond to this , creating cookie File and save （ It could also be memory cookie）, Every time the user sends a request in the future , The browser should judge all the current cookie There is no failure in （ according to expires Attribute judgment ） And it matches path Attribute cookie Information , If any , It will be added to the request header and sent back to the server in the following form ：

Cookie: name=“zj”; Path="/linkage"

The dynamic script on the server side will analyze it , And make corresponding treatment , Of course, you can also choose to ignore .

It should be noted that , For security reasons ,cookie Can be disabled by the browser .