Basic theory – The difference between cookies and sessions

This is the 23rd day of my participation in Gwen Challenge

Cookie

If we use JS variables to store data, the data will disappear when the page is closed. So if we page login an account, such as Baidu login Baidu account, and then no matter how to jump to the page, or keep the login state, so this keep login state is how to do it? Under the normal HTTP protocol, this is not possible. Because HTTP is a context-free protocol. So, on the front page, you have to have something that stores data persistently. Once the login is successful, I will record in it, this thing is called Cookie. Cookies are used to store user information on web pages.

A Cookie is some data stored in a text file on your computer.

When the Web server sends a Web page to the browser, the server does not record the user’s information after the connection is closed.

The purpose of cookies is to solve the problem of “how to record user information on the client “:

  • When a user visits a Web page, his name can be recorded in a Cookie.

  • The user’s access record can be read in the Cookie the next time the user visits the page.

Cookies are limited. Cookies are stored in the browser, not on a page. It can be stored for a long time. Cookies are stored under different domain names even if they are stored in the browser.

Now that we know about cookies, let’s look at the process that cookies implement to stay logged in:

  1. Initial status: No login.

  2. Access baidu login, input user, password.

  3. If the user name and password are correct, baidu’s back end will set a Cookie to the domain name. Write basic user information (encrypted).

  4. After each time to Baidu to send a request, the browser will automatically bring these cookies.

  5. The server sees a Cookie with an ID and can parse the encrypted ID to get the user’s own ID.

  6. If the user can obtain its own ID, it indicates that the user has logged in, so the backend can continue to retain the user’s information.

The above is the process of Cookie to maintain login state, but there is a disadvantage of Cookie, is that if some bad person, copy the Cookie in my browser, he can log in my account on his computer.

Session

So what is Session?

Session is another mechanism to record the status of the client, but the difference is that cookies are stored in the browser of the client, which is easy for others to copy, whereas Session is stored on the server, which is difficult to copy.

When the client browser accesses the server, the server records the client information in some form on the server. So that’s Session. The client browser only needs to look up the client’s status from the Session when revisiting.

The data stored in Session also has disadvantages, that is, the server consumes resources when there are a large number of users.

A reverse proxy is required because there may be more than one server on the back-end, and user login information is generally stored on only one server. Reverse proxy has two modes: polling and IP hash. What polling is, is I have 10 servers, one request to each server one by one. So we had to keep the login status and could not use the polling method, because if we give it one by one, the server without user information could not keep the login status. IP hashing solves this problem. Because before shut down your computer’s IP address will not change, so it will be to decide according to your IP address, the same IP address can make to the same server, thus to ensure that your login information and access to the same server to help you to solve, thus ensure that your login information has been exist, by this way.