tags: Servlet

The difference between Session and Cookie

  • Compare from storage mode

    • Cookies can only store strings, and if you want to store non-ASCII strings, you have to encode them.
    • A Session can store any type of data. You can think of a Session as a container

  • Compare from privacy security

    • Cookies are stored in the browser and are visible to the client. Information is easy to leak out. If you use cookies, it is best to encrypt them
    • Sessions are stored on the server and are transparent to clients. There is no sensitive information leakage problem.

  • From the period of validity

    • Cookies are stored on the hard disk. You only need to set the maxAge property to a large positive integer. Cookies will still exist even if the browser is closed
    • Sessions are saved on the server. Set the maxInactiveInterval value to determine the Session validity period. And the Session relies on a Cookie named JSESSIONID, whose default maxAge attribute is -1. If the browser is closed, the Session is invalidated, though not extinguished from the server.

  • Compare the load from the server

    • Sessions are stored on the server. Each user generates a Session. If a large number of concurrent users access the server, sessions cannot be used because they consume a large amount of memory.
    • Cookies are stored on the client. Does not occupy server resources. Large websites such as Baidu and Sina generally use cookies for session tracking.

  • Compare from browser support

    • Cookies are useless if the browser disables them!
    • If cookies are disabled by the browser, sessions can be traced by URL rewriting.

  • Compare across domains

    • Cookie can set the domain property to implement cross-domain
    • Session is valid only for the current domain name

Cookie and Session are used together

  • Using only cookies or just sessions may not be ideal. Try using Session and Cookie at the same time

  • So, when do you need to use both cookies and sessions?

  • In the last blog post, we used sessions to do simple shopping, and that worked. Here’s a problem: I accidentally closed my browser while I was shopping. When I went back to the browser, I found that all the items I bought were gone!! Why did it go away? The reason is simple: the maxAge attribute of the Cookie automatically maintained by the server for the Session is -1 by default, and when the browser is closed, the Cookie automatically dies. When the user accesses it again, the Cookie is not the same.

  • What we’re thinking now is: even if I accidentally close my browser and I go back to the site, I can still find my purchase history.

  • The problem is that the Cookie automatically maintained by the server for the Session has a maxAge attribute of -1, and the Cookie is not stored on the hard disk. All I have to do now is save the Cookie on my hard disk so that even if I close the browser, when the browser visits the page again, it can bring the Cookie and the server recognizes the Session.

  • ** The first way: ** just need to create a Cookie on the processing purchase page, the value of the Cookie is the Session ID returned to the browser


		Cookie cookie = new Cookie("JSESSIONID",session.getId());
		cookie.setMaxAge(30*60);
		cookie.setPath("/ouzicheng/");
		response.addCookie(cookie);

Copy the code

  • The second method: configure it in the server.xml file to serialize each user’s Session to hard disk or database when the server is shut down. But this method is not commonly used, you can know!

  • So let’s see what happens

If you find this article helpful, give the author a little encouragement