Session＆Cookie＆token

One .Session

What is? Session?
A special object created by the server to save user state .

When the browser first accesses the server , The server creates a session object ( The object has a unique id, Generally known as sessionId), The server will sessionId With cookie Send it to the browser .
When the browser accesses the server again , Will sessionId Send it , The server is based on sessionId You can find the corresponding session object .

The difference between stateful and stateless
Basic concepts ：
A stateful It has the function of data storage . A stateful object (Stateful Bean), It's an object with instance variables , Can save data , It's not thread safe . Leave no state between different method calls .
No state It's an operation , Can't save data . Stateless objects (Stateless Bean), Objects without instance variables . Can't save data , Is an immutable class , It's thread safe . Stateless services do not record service status , There is also no relationship between different requests ;http Protocol is stateless

• Stateless service （ common JWT）
• Stateful service （ common redis simulation session Store information ）

Session The shortcomings of ：

• When the server traffic increases , There will be many Session, If no timeout or destruction is set , It is easy to cause server crash and other conditions .
• When the server is clustered or distributed , Users log on to one of the servers , Will session Save to the memory of the server , But when users access other servers , Will not be able to access , Cache consistency technology is usually used to ensure that it can be shared , Or use a third-party cache to save session, inconvenient .

Two .cookie

1. Cookie How it works
cookie It is a small part of text information saved by the server in the browser , Every cookie No more than 4kb. Every time the browser makes a request to the server , This information will be automatically attached .
（1） The browser sends the request to the server for the first time
（2） Server side creation Cookie, The Cookie Contains information about the user , Then the Cookie Send to browser side
（3） When the browser side visits the server side again, it will carry the Cookie
（4） Server side through Cookie The data carried in can distinguish different users

Difference and contrast
(1)cookie The data is stored on the client's browser ,session Data on the server
(2)cookie Not very safe , Others can analyze the local COOKIE And carry on COOKIE cheating , If the main consideration is safety, we should use session
(3)session It will be saved on the server for a certain period of time . When visits increase , It will take up the performance of your server , If the main consideration is to reduce server performance , Should be used COOKIE
(4) Single cookie The limit on the client side is 3K, That is to say, a site is stored in the client COOKIE You can't 3K.
(5) therefore ： Store the login information and other important information as SESSION; Other information if needed to be retained , Can be placed in COOKIE in

3、 ... and .token

1.token The principle,
It's a computer term ： token , Token is a special frame that can control the media occupied by the site , To distinguish between data frames and other control frames .token In fact, the more popular point can be called the code , Before some data is transmitted , We need to check the code first , Different code is authorized to operate different data . be based on Token Authentication method for
2.token Usage flow
Using a Token Authentication method for , The server does not need to store the user's login record . The general process is like this

1. Client requests login with user name and password
2. The server receives the request , To verify the user name and password
3. After successful verification , The server will issue a Token, Put this again. Token Send to client
4. Client received Token You can store it later , For example Cookie Or Local Storage in
5. Each time the client requests resources from the server, it needs to bring the Token
6. The server receives the request , Then go to verify the client request Token, If the validation is successful , Return the requested data to the client

Four .JWT

jwt and token The difference between
Conclusion ：
The most intuitionistic ：token Database verification is required token Whether it works , and JWT No or less inventory checking , Check directly on the server , And you don't have to check the library .
Because the user's information and encrypted information are in the second part payload And the third part of the visa has been generated , Just check on the server , And the verification is also JWT Self realized .
Reference resources ：token and JWT difference

5、 ... and .localStorage

stay HTML5 in , Added a new localStorage characteristic , This feature is mainly used as local storage , It's solved cookie Lack of storage space (cookie Each of them cookie The storage space of is 4k),localStorage The general browser support in 5M size , This is in different browsers localStorage It will be different .