What is the difference between Cookie and Session in HTTP protocol?

HTTP is a stateless protocol, that is, each time the server receives a request from the client, it is a new request, and the server does not know the client's historical request records. Cookies and Sessions are both session methods used to track the identity of browser users, in order to make up for the stateless nature of HTTP.

A cookie is a small piece of data that a server sends to a user's browser and stores locally. It will be carried the next time the browser makes a request to the same server.

Cookies store information about logged-in users, so that the next time you visit a website, the page can automatically fill in some basic login information. Usually, it is used to tell the server whether two requests come from the same browser, such as keeping the user logged in. In addition, cookies can also store user preferences, themes, and other settings.

The function of Session is to record the user's status through the server. Generally, we use Cookie to manage Session. When the server receives the request for the first time, it generates a Session ID, sets the Session ID field through the Set-Cookie command in the response header, and sends a response to the client requesting the setting of Cookie. After the client receives the response, it saves a Cookie information containing the Session ID field on the local machine. Each time the client sends a request to the same server, the request header will carry a Cookie containing the Session ID, and then the server obtains the Session ID of this request by reading the Cookie in the request header.

It should be noted that if the client has disabled cookies, the method of saving the Session ID through cookies will not work. In this case, we can also put the Session ID in the requested URL. Considering security, we can also encrypt the Session ID.

Overall, there are five differences between Cookie and Session:

1. The storage locations are different. Cookie data is stored on the client browser, while Session data is stored on the server.

2. Different security. Cookies are stored on the local browser and can be forged to deceive cookies, so relatively speaking, Session is more secure.

3. The size of stored data is different. The data stored in a single cookie cannot exceed 4K. Many browsers limit a site to storing a maximum of 20 cookies. Session is stored on the server and the browser has no restrictions on it.

4. The data types are different. Cookies only support the storage of string data, while Session can store any data type.

5. The validity period is different. Cookies can be set to be kept for a long time, such as the automatic login function we often use. Sessions are generally effective for a short time and will become invalid when the client is closed or the Session times out.