The Background of Cookie & Session
If you want to know what a cookie is, the first thing you need to know is HTTP. HTTP is a stateless protocol, which means that each request sent by the client to the server is completely independent. The server cannot confirm the identity information of the current client, nor can it tell whether the sender of the previous request and the sender of this request is the same client.
In order to track the interaction between the client and the server, the technology to maintain the HTTP connection state came into being Cookie and Session. If you want to know if it is necessary to delete cookies, please refers to Is it Necessary to Delete Cookies.
What is Cookie?
Cookie is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with later requests to the same server. Typically, it’s used to tell if two requests came from the same browser. The server can also modify the content of the cookie as needed.
Important, Cookies are not cross-domain. Cookies on the client side are managed by the browser, ensuring that Google will only operate Google cookies and not Facebook cookies, thereby ensuring user privacy. The browser determines whether a website can operate a cookie based on the domain name.
What is Session?
Session is another mechanism to record the session state between the server and the client to distinguish cookies. The difference is that the Cookie is stored in the client browser, while the Session is stored on the server.
The session is stored on the server, and the SessionID will be stored in the cookie on the client.
How do Cookie & Session Work
When the client sends request to the server for the first time, the server creates the corresponding session data package according to the relevant information submitted by the user. The server responds to the client’s request and returns the unique identification information SessionID to the browser. The browser stores the returned SessionID in the cookie, and the cookie records which domain name the SessionID belongs to.
When the client visits the server for the second time, the request automatically determines whether there is cookie information under this domain name. If it does, the cookie information will be sent to the server. The server will obtain the SessionID from the cookie, and then look up the corresponding session information according to the SessionID. If the session is found to prove that the user has logged in, you can perform the following operations; if it is not found, it means that the user has not logged in or failed.
The Differences between Cookie & Session
Session is safer than cookie. Session is stored on the server side and cookie is stored on the client side. The status data stored in the browser is dangerous, and it is not ruled out that the status information in the browser can be artificially changed to deceive the server. Once this happens, your privacy may be leaked and cause unnecessary losses.
The types of stored values
Cookie only supports storing string data, if it is set to other types of data, it needs to be converted into string. Session can store any data type.
Cookie can be set to keep for a long time, the expiration time of the session is relatively short, and the client will be invalid if it is closed.
The data held by a single cookie cannot exceed 4KB, which is obviously not enough for complex state data. Session storage data is higher than cookie. When there are too many visits, more server resources will be occupied.