How to save records when surfing the Internet? You need to know the relationship between Session and Cookie

Why use Session and Cookie?

In a nutshell, because Session and Cookie can record user status information.

Hiss..what does this mean?

The emergence of dynamic web pages

What is a static web page

Meaning: The content of a web page is written in HTML code. Text, pictures and other content can be specified by HTML code.

• Advantages: fast loading speed, simple to write
• Disadvantages: poor maintainability, poor scalability, and inability to display different content based on the URL; for example, if you want to display a name parameter in the URL on a web page, this is not possible with a static web page.

Conclusion: more disadvantages than advantages

The birth of dynamic web pages

Dynamic web pages can dynamically parse changes in parameters in the URL, associate with the database and dynamically present different page content. They are very flexible and versatile.

Most of the websites you encounter nowadays are dynamic websites. They are no longer a simple HTML page. They may be written in languages ​​​​such as JSP, PHP, Python, etc., and their functions are much more powerful and richer than static web pages.

Scenario: A dynamic website that requires login needs to remain logged in after login so that other pages of the website can be accessed later; so how can we save this login state?

HTTP is a stateless protocol

What does HTTP statelessness mean?

The HTTP protocol has no memory capability for transaction processing, which means that the server does not know the status of the client.

What does this mean?

When we send a request to the server, the server parses and processes the request and then returns a response. The server is responsible for completing this process (which is also a transaction), and this process is independent. The server does not record the changes in status before and after, that is, there is a lack of status records.

What are the consequences of statelessness?

This means that if the subsequent request needs to process the response of the previous request, it must be repeated, which also requires the transmission of some additional previous repeated requests to obtain the subsequent response. However, in order to maintain the previous and subsequent states, we cannot retransmit all the previous requests once, which is a waste of resources; just like if a website sends a login request before each request, it will undoubtedly greatly increase the degree of resource waste.

The birth of Session and Cookie

As can be seen from the above figure, Session and Cookie each play their own role in a website.

Actual scenario

• When we log in, the server will create a Session belonging to the current user, which stores the current user's information;
• The browser then generates a related cookie based on the Set-Cookie field in the server's response header, which is equivalent to a user credential;
• You only need to carry these cookies in the next request, and the server can use the cookies to determine whether the user is logged in and then return the corresponding response.

A vivid understanding of the relationship between Cookie and Session

Session is stored on the server side, and Cookie is stored on the client side.

Every time a user visits a website, it is equivalent to visiting a friend.

The user takes the cookie to the server's house and knocks on the door.

The server asked who it was?

User: It’s me (cookie)!

Server: Let me confirm (session confirmation).

After the server confirms, the user is allowed in.

Response header of actual website login request

(1) This is the response header returned after logging into a website. You can see that the server requires the browser to set several cookies. This is the source of cookies, and the token is generally used as the user's only credential [Login successful, response header set-cookies, browser sets cookies]

(2) When the browser requests the website again, it will put these cookies in the request header and submit it to the server; and the cookies carry the SessionID information (token) [request again, bring cookies, including SessionID]

(3) The server can find the corresponding user session information through the SessionID, and then determine the user's login status [the server obtains the user login status based on the SessionID]

(4) If some variables in the Session that set the login status are valid, it proves that the user is logged in [Session is valid, the user is logged in]

(5) At this point, the server will return the webpage content that can only be viewed after logging in, and the browser will then parse it and see the [return request response content]

(6) When the cookie is invalid or the session has expired, we need to log in again to visit the website [Cookie is invalid, Session has expired, you need to log in again]

The collaborative relationship between Session and Cookie in login function

1. Session

A session refers to a series of actions/messages with a beginning and an end. For example, when making a phone call, the whole process of picking up the phone, dialing, talking, and hanging up can be called a session.

Actual scenario:

• In the Web, the Session object is used to store the properties and configuration information required for a specific user session, so that when the user jumps between the Web pages of the application, the variables stored in the Session object will not be lost, but will exist throughout the user session.
• When a user requests a web page and the user does not have a Session, the web server will automatically create a Session object.
• When the Session expires or is abandoned, the server will terminate the Session.

2. Cookie

Some websites store data on the user's local terminal in order to identify the user and conduct session tracking.

3. Session Cookies and Persistent Cookies

(1) Session Cookies

Opening and closing a browser can be considered a session. Session cookies are valid only while the browser is open; session cookies are stored in the browser memory.

Actual scenario: Websites involving money, interests, and confidential content generally use session cookies, such as corporate email addresses.

(2) Persistent Cookies

Persistent cookies are stored in the client's local hard drive and are not affected by closing the browser. They can continue to be used the next time you visit the website, and are used to keep the user logged in for a long time.

Actual scenario: Websites that can check [Automatically log in] and [Automatically log in within 30 days] use persistent cookies.

Timing diagram between the client and the server when a persistent cookie makes a request:

4. View Cookies in the Browser

• Name: The name of the cookie. Once a cookie is created, the name cannot be changed
• Value: The value of the cookie. If the value is Unicode characters, character encoding is required. If the value is binary data, BASE64 encoding is required.
• Domain: The domain name where the cookie is injected, such as the cookie under .baidu.com. As long as the host's domain name ends with .baidu.com, the cookie can be accessed.
• Path: The path that allows the cookie to be used, usually /
• Expires/Max-Age: Cookie expiration time. If no expiration time is specified, the cookie will expire when the browser is closed.
• Size: Cookie size
• HttpOnly: If True, scripts are not allowed to access the cookie (such as JS)
• Secure: Whether Cookie is transmitted only using secure protocols, the default is False

Key points of knowledge

"Session disappears as soon as you close the browser" -- Wrong!

Actual scenario: If you go to the gym to get a membership card, the store will not cancel your card at will unless you request to cancel the card.

Therefore, it is the same for Session. When you log in, the server will generate a Session for you and will not delete your Session easily unless you request to delete it or the Session expires. Generally, we will delete it by [Logout] to trigger the server to delete the Session.

When we close the browser, the browser does not notify the server that it is closing, so the server does not know that the browser has been closed. This misunderstanding is caused by:

• Generally, websites use Cookies to save SessionID information.
• When your cookie is a session cookie, it disappears when you close your browser.
• When you open the website again, you cannot find the SessionID corresponding to the previous Cookie.
• Therefore, it is impossible to find the corresponding user's login status on the server through the original SessionID. You can only log in again to generate a new cookie to record the new SessionID.

How to solve it?

That is, set the cookie as a persistent cookie. When you close the browser and open the website again, you can still read the cookie from the local computer, thereby obtaining the original SessionID to keep you logged in.

in addition

Precisely because closing the browser does not cause the server to actively delete the session, in order to avoid wasting server resources, the server generally sets an expiration time for each session. When the session time exceeds the expiration time, the server will automatically delete the session.