Web Security (V) what is a session? Why do I need a session?

Session What is it?

  Session Is the meaning of conversation , It is generally used to record user information on the server . It made up for HTTP It is the defect of stateless protocol that makes the service unable to identify users .

   The typical scene is a shopping cart , When you want to add items to the cart , The system doesn't know which user operated , because HTTP Protocol is stateless . The server creates specific Session Then you can identify the user and track the user .

Why session

   Talk about session Usually in web In the context of application , We know web The application is based on HTTP Agreed , and HTTP The agreement is exactly a stateless agreement . in other words , User from A The page jumps to B The page will be sent again HTTP request , When the server returns the response, it cannot know that the user is requesting B What did you do before the page .

   about HTTP The cause of Statelessness , relevant RFC There is no explanation in , But contact HTTP History and application scenarios , We can infer some reasons ：

  1、 Design HTTP The original purpose is to provide a release and reception HTML Page method . At that time, there was no dynamic page technology , Only pure static HTML page , Therefore, there is no need for the agreement to maintain the state ;

  2、 When the user receives a response , It often takes some time to read the page , Therefore, if the connection between the client and the server is maintained , Then this connection will be idle most of the time , This is an unprovoked waste of resources . therefore HTTP The original design is the default short connection , That is, the client and server disconnect after completing a request and response TCP Connect , Therefore, the server cannot predict the next action of the client , It doesn't even know if this user will visit again , So let HTTP Protocols to maintain user access status are also completely unnecessary ;

  3、 Transfer part of the complexity to HTTP Protocol based technology can make HTTP It is relatively simple at the level of agreement , And this simplicity also gives HTTP Stronger scalability . in fact ,session Technology is also right in essence HTTP An extension of the protocol .

   To make a long story short ,HTTP The statelessness of is determined by its historical mission . But with the vigorous development of network technology , People are no longer satisfied with rigid and boring static HTML, They hope web Application can move , So scripts and DOM technology ,HTML Added form in , And the server appears CGI Dynamic technology .