State management expert: Cookies and Session

1. Introduction

Hello everyone, I am Xiao❤, a 985 non-professional programmer who has been wandering around for many years. I have worked as a backend development engineer in state-owned enterprises, large Internet companies and startups.

The embarrassing incident of grabbing tickets during the holiday

Recently, an embarrassing thing happened to Xiao❤ when he was trying to grab a high-speed rail ticket for a trip.

It was close to the Mid-Autumn Festival and National Day holidays, and based on past experience, it would be difficult to get tickets. So I found a guy through a channel to help me get tickets, and the ticket-buying time was 9 am the next day.

As luck would have it, I opened my phone at around 8 o'clock the next day and thought about going to 12306 to check the tickets.

Enter your phone number, get the verification code, and log in, all in one go!

As a result, at around 9 o'clock, Brother Niuzi told me that I failed to get the ticket! The reason turned out to be that the account was blocked in the middle of the process, and a 12306 account can only be logged in by one mobile phone at a time.

Ah this?!

I thought Niu Zige used some high-end channels or a magical app, but it turns out...

So, I took this opportunity to review the login mechanism of 12306, and this article came about!

The underlying logic of device restrictions

Nowadays, it is not uncommon for websites or mobile applications to limit the number of logged-in devices.

Whether it is to limit the number of logins or to keep the login status, it is closely related to the HTTP protocol for network interaction, as well as the Cookie and Session technologies on the client and server.

Although we deal with them every day, do you really understand their principles and how to use them? Next, let's unveil their mystery together!

2. Background

As we all know, HTTP is a stateless protocol.

Stateless means that the server does not track and record requests, that is, it has no memory of request processing, which means that each request is independent.

Its advantages and disadvantages are:

• Advantages: The server does not need context information when processing requests, so the response is fast and each request is just enough, which improves the efficiency of request processing.
• Disadvantages: The lack of access status means that if subsequent requests are related to previous ones, such as the APP login function, the request must be retransmitted when switching APP pages.

Imagine that every time we switch apps on our phone or put an app in the background, we need to log in again. That would be disgusting.

Generally, applications or websites will have this login status:

Therefore, our requirements for the login function are:

• When logging into the APP, you need to remember your username and password to avoid entering them every time.
• When logging into the APP, it is necessary to remember the user's login status to avoid repeated login operations every time.

In addition, some other Web interaction scenarios also need to remember the state, such as:

• When adding items to the shopping cart, you need to identify and track a user to know how many books are in the shopping cart.

As a result, two technologies for maintaining HTTP connection status came into being, namely Cookie and Session.

3. Session: Identity Identifier

Session, like your ID card, is a way to pass identity information between the server and the client.

The timing diagram of user login generating Session is as follows:

When you log into a website, the server generates a unique SessionID, stores it on the server side, and then sends this ID to your browser, usually in the form of a cookie.

Postman requests the login interface, and the response is as follows:

Postman request login interface

This SessionID is like your pass, and your browser will send it to the server every time you visit a page that requires login.

The server uses this ID to identify you, just like a security guard sees your ID card.

4. Cookies: Keeping Memory

A cookie is a small text file that is stored in your browser.

As the meaning of Cookie itself, it is like a small dessert that allows the server to "remember" you between different HTTP requests.

When you log in to a website, the server has stored some information in a cookie, such as your username or some user preferences.

Then, every time you visit the site again, your browser will send this information to the server so that the server can "recognize" you without requiring you to log in again.

The sequence diagram of a user interacting with an application through cookies is as follows:

By placing the SessionId in the cache, the application layer can parse the corresponding SessionId, verify the user's identity, and obtain user information as long as the cookie is brought with it every time the user interacts.

The Postman interaction is as follows:

Postman calls the business interface

Sometimes, for the sake of information privacy, we can set your browser not to record cookies.

However, this means we need to log in again every time we interact with the page, which will result in a poor experience.

5. The relationship between Session and Cookie

PS: This is a common question in web and backend development interviews, so take a notebook and write it down 😄

connect

As shown above, there is a close relationship between Session and Cookie.

Typically, the server stores the SessionId in a cookie and sends it to your browser or other device.

Then, the browser will automatically include this cookie in each request so that the server can recognize your SessionId and know who you are.

So, you can think of Session as the server's authentication identifier, and Cookie as a memory tool for the browser/user device that is used to save some information about you.

the difference

So, what is the difference between Session and Cookie?

(1) Access mechanism

Cookies determine user identity by checking the client's user "pass", and Session checks the server's "customer profile table" to confirm user status.

(2) Safety level

Criminals may analyze cookies stored locally to perform cookie spoofing, but Session is generated only when someone logs in or starts a session, and Session is encrypted and expires at a certain time, so Session has a higher security factor.

(3) Session Mechanism

Simply put, Session has a higher degree of privacy because its data is stored on the server and cannot be modified directly by users.

Cookies are stored in the user's browser, and the user can see and modify their contents, so they are not suitable for storing sensitive information.

In terms of usage scenarios, Session is usually used to store the user's login status and other sensitive information, while Cookie can be used to store some user preferences or track user behavior, such as items in a shopping cart.

VI. Summary

Login device restrictions

Now that you understand the underlying logic of Cookies and Sessions, it will be very easy to limit the number of logins on a device.

We only need to record the number of sessions on the current device according to the account and password when logging in, and we can control the number of logged-in devices.

If we want to restrict based on client type, for example, allowing computers and mobile phones to be online at the same time, we can record the user's device type when logging in, so that each device type can only have one Session.

Furthermore, for security reasons, we can record the user's device ID when logging in.

For example, if you enter *#06# in the call box, you can get the unique identification code IMEA of the phone.

Every time a user logs in with a new device, they need to first verify by mobile phone number or face, and then record the device's IMEA code to ensure the reliability of the login device.

Conclusion

Session and Cookie are important components of building modern websites. They provide users with convenient login and personalized experience while also protecting user privacy and security.

By deeply understanding the principles and usage of these two, we can better build secure and efficient network applications.

I hope this article has given you a clearer understanding of Session and Cookie. If you have any questions or want to know more, please feel free to leave a message.