Simple understanding of seesion, cookies, tokens

as everyone knows ,Http It's stateless , After accessing the server , Access the server again , The server does not know that you are visiting again , So how to ensure that the server knows that we have logged in ?
When we log in , The browser will pop up an option to remember me , After selection , The browser can get the user name and password , The next time you log in , The browser will fill the request with user name and password . This introduces the first concept ：Cookie.
Cookie Work flow chart of ：

After the browser sends the request to the server , The server returns a Cookie,Cookie It contains name and value, The next time the browser sends a request to the server , Can carry Cookie.

however , Put your user name and password in Cookie It's very unsafe , If hackers attack our computers , To obtain the Cookie, Then it's easy to expose our information . Hence the Seesion.

After the client sends a request including the user account name and password to the server ,, The server will issue Session Id, take Session Id adopt cookie In the form of , Pass to client , Next time, the client will carry cookie Request to access . When max-age When time arrives , The client will delete cookie. If the user still needs to log in , You can only re-enter your user name and password . This Session Id Store on the server side , If the server is still based on session Of cookie, When a large number of users visit , Then the server will have to store a lot of session id, But if there are polymorphic servers , Then share session Id To other servers , But sharing is not a good way , So it's here JWT token.

JWT Divided into three parts , One is header： Indicates how to generate a signature , One is payLoad： It stores specific data , Such as expiration date , One signature：header and payload Both will be encoded , Then combine header The algorithm inside encrypts , Generate signature information . Such a complete one jwt The information can be sent to the client . There is no storage on the server token, As for the use of redis cache token, It's because such access is faster .
So to conclude ：Session Is born and stored on the server , The server dominates everything , however Cookie Is a data carrier , hold Session Put it in Cookie Send it to the client ,Cookie Follow in every http In request ,token Saved in the browser , The client dominates everything , Can be placed in Cookie perhaps Storage in , hold token It's like holding a token , Allow access to the server .