Three good friends Cookie, Session and Token

Others 2023-08-15 18:29:12 views: null

Original statement, please indicate the source of the article link and author information for reprinting

> Three good friends Cookie, Session and Token

hello, i'm suoqi~

Carefully wrote a vivid article on Cookie, Session and Token, and shared it with everyone

We can think of Cookie, Token, and Session as three good friends. They are all used to track the identity and status of users, but there are some differences and usage scenarios between them.

Cookie

  • Cookies: Cookies, Cookies; ... kind of people; (stored on the computer after browsing the web) cache files; <Scotland> light bread; pretty girls

    Ah, it’s not for you to translate~ It’s for you to introduce cookies in the computer~ (but I also learned a word)

A cookie is like your little secretary, its main function is to save user preferences and browsing history. For example, if you bought a piece of clothing online but haven't decided whether to buy it, you can put the piece of clothing into the shopping cart, and Cookie will help you remember what is in the shopping cart. When you come to this website next time, Cookie will help you display the items in the shopping cart so that you can continue shopping.

Cookie data is stored in the client's browser and will not occupy server resources

In the browser console, you can directly enter: document.Cookie to view cookies. A cookie is a string consisting of key-value pairs, for security reasons

If you can't get the httponly type, don't look for httponly for a long time and find that you can't find it

One more noun, let’s explore again?

What is httponly?

HttpOnly is a flag set in the HTTP response header that prevents certain types of client-side scripts (such as JavaScript) from accessing cookies. When the server sends a cookie with the HttpOnly flag to the client, the client's JavaScript code will not be able to access the cookie through document.cookie, which can effectively improve the security of the web application.

If the httponly attribute is set for a cookie, the cookie information cannot be read through the JS script, but the cookie can still be manually modified through the Application, so it can only prevent XSS attacks to a certain extent, but it is not absolutely safe

  • Cookies are mainly used to track user preferences and behavior in order to provide a personalized experience. For example, save the user's login status, shopping cart information, etc. on the website.

    Ah, information such as browsing videos, browsing tb, personalized advertisements, etc. is actually recorded and pushed by the page in this way

Another topic that everyone is discussing (with different opinions) is-will our usual browsing records and other information be recorded?

  • The answer is uncertain (it is not guaranteed that it will not be recorded, and it is not guaranteed that it will be recorded)

    The cookie itself is stored on the client side, not the server side, so the server does not need to

    Cookie records are saved to the database

    But as to whether and how information such as recording personal hobbies and browsing records is recorded in the database, it depends on the specific software, website, privacy policy and data collection method..

Session

Session is like your personal file, its main function is to save the user's status and permissions. For example, after you log in on the website, the server will create a Session for you, which stores your login status and shopping cart information, etc. In this way, when you are browsing the website, the server will provide a personalized experience based on the Session, such as displaying what is in your shopping cart, or displaying the products you have recently viewed.

It can also be understood as a special map. In addition to accessing data like other maps, it also has an expiration time and a unique id to distinguish different sessions.

When the session is created, a cookie will be created at the same time key, JSESSIONIDand the cookie valueis the id of the session.

Have you encountered something you don’t understand again? What is the key of the cookie?

JSESSIONIDIt is a cookie name used to transfer session information between the client and server. When a user visits a website that requires login in a browser, the server will

Create a session in the background, generate a unique Session ID, and store it in the session on the server side. At the same time, the server will send the Session ID to the client in the form of a cookie. The commonly used cookie name is JSESSIONID

  • The data information of the session is stored on the server, and the data of the session can only be accessed by the server, so it is relatively safe, but it needs to occupy the resources of the server.

  • Session is mainly used to track user status and permissions in order to provide a personalized experience. For example, what you search for, save the user's login status on the website, shopping cart information, etc.

  • There is no upper limit for Session, but for server-side performance considerations, do not store too many things in Session

Token

Token is like your ID card, its main function is for authentication and authorization. For example, when you use an APP, you need to log in to use some functions. At this time, the APP will issue you a Token (token). You need to carry this Token in each request, and the server will verify the Token. to determine your identity and permissions to ensure that you can only access content that you are authorized to access.

For example, if the user has logged in to the system, I send him a token, which contains the user id of the user. Next time the user requests to access me through Http again, just bring this token through the Http header.

But at this time, it feels no different from a session. What if someone fakes a fake attack? So the algorithm is used to sign the data, using signature + data = token, the signature is unknown, and the token cannot be forged

This token is not saved. When the user sends me this token, I will use the same algorithm and the same key to calculate the signature on the data again, and compare it with the signature in the token. If they are the same, I will Knowing that the user has already logged in, and can directly get the user id of the user, if it is not the same, the data must have been tampered with, so you know that this person is a counterfeit, and return the information without authentication

Token is a stateless authentication mechanism, which means that the server does not need to save the state of Token (this does not greatly reduce the pressure on the server~), and the front-end cannot directly access the back-end Session in the front-end and back-end separation architecture. However, in the front-end and back-end separation architecture, Session can still be used to store other state information of the application, such as shopping cart data, but it cannot be used to save the user's login state.

  • Can be saved both on the server and on the client

  • Token is a stateless authentication mechanism that can be shared among multiple servers, while Session needs to be saved on each server. Using Token can avoid problems such as session sharing and session expiration, and can also reduce the burden on the server.

  • The data in Token is stored in clear text, and can still be seen by others, so I cannot store sensitive information like passwords in it

  • Token-based authentication is stateless, and we do not store user information in the server or session.

  • In most Internet companies using Web API, it is the best way to handle authentication under Tokens multi-user

  • Isn't it annoying to be attacked! Token is usually used in scenarios such as API authentication, which can effectively avoid attacks such as cross-site request forgery (CSRF)~

Expand the Token authentication process

  • The user performs a login operation on the client side, and sends the user name and password to the server side.

  • The server generates a Token by verifying the correctness of the user name and password, and returns the Token to the client.

  • The client saves the Token locally, such as in the browser's Cookie or localStorage.

  • In subsequent requests, the client sends the Token to the server for authentication.

  • After receiving the request, the server obtains the Token from the request, and decrypts and verifies the Token.

  • If the Token verification is passed, the server will respond to the request and return the required data, otherwise it will return an error message that the authentication failed.

During the identity verification process, the server usually decrypts the Token, verifies the signature, checks whether the Token is expired, etc., to ensure the validity and security of the Token

Lifelike, easy to understand~ The key points are over!

Simply memorize some knowledge

Have you read it, and don’t understand anything? Well, helpless, just remember the difference briefly, you can’t be speechless during the interview

  • Session and Token are mechanisms for saving data on the server side, while cookies are mechanisms for saving data on the client side

    Usually, the data saved by a single cookie is within 4KB (Interviewer: I know this, I will give you an offer! Ecstatic self: Great!)

  • Session and Token are usually used for authentication and state management, while cookies are usually used to track user preferences and behaviors

  • Session and Token are usually used for storage and transmission of sensitive data, while cookies are usually used for storage and transmission of non-sensitive data.

  • Session and Token need to be managed and maintained by the server, while cookies can be managed and maintained by the client.

  • Token can be used across domains, while Session can usually only be used under the same domain name; Token can be used in a distributed system, while Session can usually only be used on a single server.

(It can be ignored) I want to expand after writing, hahaha, partners who want to explore, must want to know the number of cookies that a single site can store,

Doubts here?

The international Internet standard is that the number of cookies that each website can store shall not exceed 300, which depends on different browsers.

I found that some bloggers said that a single site can save up to 20 cookies, which is unreasonable, and there are nearly 100 likes

A series of information on the Internet is duplicated, sometimes we can't believe it easily, we have to learn to explore and verify by ourselves! Otherwise it will be misleading

This is just to explain the number of cookies, to help more partners learn to explore knowledge, and there is no malice towards the original blogger.

Guess you like

Origin blog.csdn.net/m0_64880608/article/details/131489545
Recommended
Ranking
稀疏数组(狂神)
Windows11 system configuration Pycharm installation tutorial
[From the springboard machine ssh to the intranet target server] Configure vscode to achieve remote connection
Architecture python program
C language test code binary tree search
Questions about University website maintenance
echarts sized digital dashboards
Layui table click event
fantasy function
Windows turns on CPU virtualization + turns off Hyper-V
Daily
More
2024-07-31(0)
2024-07-30(0)
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)
2024-07-22(0)

Code World

© 2018 codetd.com