01

What are they?

Session:

The Chinese translation of session is "session". When a user opens a web application, a session is initiated with the web server. The server temporarily saves the user's information on the server using the session. The session will be destroyed after the user leaves the site. This method of storing user information is more secure than cookies, but the session has a flaw: if the web server is load balanced, the session will be lost when the next operation request goes to another server.

Cookie:

Cookie is data stored in the local terminal. The cookie is generated by the server and sent to the browser. The browser saves the cookie in kv form into a recorded file. The cookie will be sent to the server the next time it requests the same site. Since cookies are stored on the client, the browser has added some restrictions to ensure that cookies will not be used maliciously and will not occupy too much disk space, so the number of cookies for each domain is limited.

The components of a cookie are: name (key), value (value), valid domain (domain), path (domain path, generally set to global: ""), expiration time, security flag (specified Finally, the cookie is only sent to the server when making an SSL connection (https).

token:

Token means "token", which is the verification method of household identity. The simplest token consists of: uid (identity identification of household Wei), time (current timestamp of the time), sign (signature, which is compressed into a fixed-length hexadecimal string by a hash algorithm from the first digit of the token + salt, which can prevent malicious third-party splicing of token requests to the server). You can also put unchanged parameters into the token to avoid multiple database checks.

02

What is the relationship between them?

Both cookie and session can be a way to store tokens.

Cookies are data stored locally, which will be submitted to the server for verification when making a request.

Session is memory data stored on the server. As long as the session is not interrupted, the data will continue to be valid.

Generally speaking, toke belongs to token, cookie, and session, which are a way of storing and using data. Tokens can be stored in cookies and sessions, but in fact, the same thing can be achieved through url parameters or form parameters. Effect. However, the cost of development and maintenance is high. Once the backend requires modifying parameters, this method of use is a headache for modification.

03

What are their essential differences?

The way session is used is to store the id in the client cookie, and the server session stores user data. When the client accesses the server, it finds the user data based on the id.

The way token is used is to store ID (that is, token), user information, and ciphertext in the client. Nothing is stored in the server. The server only has an encryption code to determine the current encryption. Whether the ciphertext is consistent with the ciphertext passed by the client. If it is inconsistent, it means that the client's user data has been tampered with. If it is consistent, it means that the client's user data is normal and correct.

Process:

Session, register and log in -> The server stores the user in the session -> Stores the sessioni in the browser's cookie -> Find it based on the sessionid in the cookie when you visit again user in session.

Token, register and log in -> The server generates a token based on the user information and key -> Returns the token+user to the browser -> Passes the token+user+ciphertext data when accessing again, and the background will process it again Use the user and key to generate a token, and compare it with the passed token. If it is consistent, it is correct.

The concepts of session, cookie, and token often appear in interviews, because through this concept, you can basically understand whether you have any understanding and practice of network requests or permission management. application.