The distinction and understanding of Session and Cookie
Let’s talk about session first
The debate on SESSION seems to have never stopped, but the number of people who can understand SESSION should account for more than 90%. But let’s talk again, don’t be too old~
Some people agree with using SESSION, and some people don’t agree. But how to answer this question? You might as well listen to my opinion. If you make a mistake, please don't throw anything at it, except gold bars and coins.
Some people should know that I am a jianghu programmer, and what jianghu programs focus on is efficiency, but I won’t talk about design here, but look at SESSION from a more practical perspective.
First of all, let’s talk about what SESSION does. SESSION is a user information storage mechanism that can store targeted user information for a certain user’s IE and any windows opened through its current window. Why do you say this. Let’s first study how SESSION is started. When you open IE and browse the website, a command will be issued to request SESSIONID and download permission for various types of data, such as pictures, sounds and FLASH.
Actual data transmission content: IE to server
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept- Language0: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: www.jh521.com
Connection: Keep-Alive
The server will return a The unused SESSIONID is used by IE. At that time, IE stores the returned SESSIONID and returns the download data of the relevant page at the same time, as follows: Server to IE
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun , 30 Nov 2003 16:41:51 GMT
Content-Length: 21174..Content-Type: text/html
Set-Cookie: ASPSESSI/
Cache-control: private
Then there is the page HTML code. At this time, this IE program ( Not the client)'s SESSIONID is IBOMFONAOJFEEBHBPIENJFFC. When IE accesses any ASP program on this site, it will send IBOMFONAOJFEEBHBPIENJFFC to the server. The server will know that IBOMFONAOJFEEBHBPIENJFFC means you and set SESSION("name") on the server. ="name" can be regarded as SESSION("IBOMFONAOJFEEBHBPIENJFFC")("name")="name"
or
SESSION(SESSIONID)("name")="name"
In this way, SESSION distinguishes users.
When the server feedbacks this ID, it will check whether this ID has been used. If you change it, it won’t let you repeat it anyway. If you want to simulate someone’s SESSION ID to deceive, it’s okay. However, it can only be implemented after obtaining the other party's IE transmission signal and ensuring that the SESSIONID has not been canceled at that time.
But if I have the time, I can directly find his NAME and PASS through the POST signal. I don't need to bother. I think some people understand how SESSIONID works, so let's take a look at COOKIE. Some people say that SESSIONID is COOKIE. Technically speaking, they are not of the same type, but they belong to the same working mode. Users and The server transmits private data. When I set COOKIE, the server will feedback a command to IE. IE generates COOKIE through this network command and stores it. It will obtain this information at specific times, such as when accessing this site and the COOKID is valid.
So why use COOKIE instead of SESSION
Look at the difference
Valid time and storage method Transmission content
COOKIE can be set and retained locally Clear information
SESSION does not close IE and the server does not time out Only SESSIONID
If you want the user to The next time you log in to the website without entering a username or password, you can only use COOKIE,
because it can be retained for a long time (before the COOKIE record is deleted or expires)
but SESSION cannot, it will not be retained It takes too long, and IE automatically clears the SESSIONID record after closing. It will request a new SESSIONID the next time you log in. When the server wants to verify the user's status through the user's personal variables, it cannot use COOKIE. If you use settings The user permission is USER. When IE accesses, it transmits USER's clear code to the server.
Then if I use certain means, such as directly modifying the COOKIE record and changing USER to ADMIN~~
It will be troublesome.
But to store information such as username and password or the color scheme of the website, it is best to use COOKIE
Okay, I am a little tired, talking about this thing
Request.ServerVariables("HTTP_REFERER")
I think some people have passed this Request.ServerVariables("HTTP_REFERER")
To implement some key restrictions, especially to deal with remote submission and illegal intrusion.
Then I would like to remind you that the HTTP_REFERER information obtained by the server is completely transmitted to the server by IE, which can be simulated
And it is not difficult. It takes less than half an hour to use VB to create an intrusion program for HTTP_REFERER.
(Unfortunately, I originally thought that he didn’t do anything serious, but came to do WEB game hang-up programs)
Attached is a nice reply:
--------------------- -------------------------------------------------- -------------------------------
COOKIE is a local file, which is the mark made by the 40 thieves at Alibaba's home,
or It's the box the milkman nails on your doorstep.
SESSION is server-side memory, which is the key given to you by the bathtub when you take a bath.
For your own exclusive use, you can open many of your own boxes.
APPLICATION is a public bath.
You can see everyone here, including ppmm:).
The above introduces the distinction and explanation of jQuery cookie between Session and Cookie, including the content of jQuery cookie. I hope it will be helpful to friends who are interested in PHP tutorials.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
