理解cookie和session机制
- http://stackoverflow.com/questions/6922145/what-is-the-difference-between-server-side-cookie-and-client-side-cookie
- http://stackoverflow.com/questions/22143676/clearing-session-cookies-in-the-browser?rq=1
- http://en.wikipedia.org/wiki/Session_cookie#Session_cookie
- Two types of cookies
Session cookies - these are temporary cookie files, which are erased when you close your browser. When you restart your browser and go back to the site that created the cookie, the website will not recognize you. You will have to log back in (if login is required) or select your preferences/themes again if the site uses these features. A new session cookie will be generated, which will store your browsing information and will be active until you leave the site and close your browser.More on session cookies.
Persistent cookies – these files stay in one of your browser's subfolders until you delete them manually or your browser deletes them based on the duration period contained within the persistent cookie's file (more on persistent cookies).
Are all cookies the same?
There are two different types of cookies:
Session cookies - these are temporary and are erased when you close your browser at the end of your surfing session. The next time you visit that particular site it will not recognise you and will treat you as a completely new visitor as there is nothing in your browser to let the site know that you have visited before (more on session cookies).
Persistent cookies - these remain on your hard drive until you erase them or they expire. How long a cookie remains on your browser depends on how long the visited website has programmed the cookie to last (more on persistent cookies).
- transient cookie (session cookie)
On the Web, a transient cookie, sometimes called a session cookie, is a small file that contains information about a user that disappears when the user's browser is closed. Unlike a persistent cookie, a transient cookie is not stored on your hard drive but is only stored in temporary memory that is erased when the browser is closed.
A transient cookie is created by simply not setting a date in the Set-Cookie option when an application creates the cookie. (For a persistent cookie, an expiration date is set and the cookie is stored on the user's hard drive until the expiration date or until the user deletes it.)
Transient cookies are often used to enable a site to be able to track the pages that a user has visited during a visit so that information can be customized for the user in some way. Some sites use Secure Sockets Layer (SSL) to encrypt the information contained in a cookie.
- What are session cookies used for?
Webpages have no memories. A user going from page to page will be treated by the website as a completely new visitor. Session cookies enable the website you are visiting to keep track of your movement from page to page so you don't get asked for the same information you've already given to the site. Cookies allow you to proceed through many pages of a site quickly and easily without having to authenticate or reprocess each new area you visit.
Session cookies allow users to be recognized within a website so any page changes or item or data selection you do is remembered from page to page. The most common example of this functionality is the shopping cart feature of any e-commerce site. When you visit one page of a catalog and select some items, the session cookie remembers your selection so your shopping cart will have the items you selected when you are ready to check out. Without session cookies, if you click CHECKOUT, the new page does not recognize your past activities on prior pages and your shopping cart will always be empty.
You can adjust your session cookies through the settings feature of your browser.
Without cookies, websites and their servers have no memory. A cookie, like a key, enables swift passage from one place to the next. Without a cookie every time you open a new web page the server where that page is stored will treat you like a completely new visitor.
Websites typically use session cookies to ensure that you are recognised when you move from page to page within one site and that any information you have entered is remembered. For example, if an e-commerce site did not use session cookies then items placed in a shopping basket would disappear by the time you reach the checkout. You can choose to accept session cookies by changing the settings in your browser.
To find out more, please check out the manage cookies section
- What are persistent cookies used for?
Persistent cookies help websites remember your information and settings when you visit them in the future. This result in faster and more convenient access since, for example, you don't have to login again.
Besides authentication, other website features made possible by persistent cookies include: language selection, theme selection, menu preferences, internal site bookmarks or favorites, among many others. On your first visit, the website is presented in default mode. During your visit, you select your preferences and these preferences are remembered, through the use of the persistent cookie, the next time you visit the site.
For example, a website may offer its contents in different languages. On your first visit, you may choose to have the content delivered in French and the site may record that preference in a persistent cookie set on your browser. When you revisit that site it will use the cookie to ensure that the content is delivered in French.
A persistent cookie enables a website to remember you on subsequent visits, speeding up or enhancing your experience of services or functions offered.
For example, a website may offer its contents in different languages. On your first visit, you may choose to have the content delivered in French and the site may record that preference in a persistent cookie set on your browser. When you revisit that site it will use the cookie to ensure that the content is delivered in French.
For a demonstration of how a persistent cookie might be used. You can decide whether to allow your browser to accept these types of cookies by changing the settings. For more information, please go to the manage cookies section.
-
- What information is in a cookie?
A cookie's contents are determined by the specific website that created that cookie. Contents vary from site to site. As a general rule, cookies contain random alphanumeric text characters.
Cookies are intended to help you access a site faster and more efficiently. For example, cookies can store information to help you enter a site without having to login. In effect, cookies tell the website that your browser has been to the site before. It does not need to know your exact identity. To find out more about this function, please check out the manage cookies section
When created, cookies normally don't contain any personal information. They don't scan your computer or do any kind of investigation to find out your personal information. Any personal information they might contain is a result of your own input on a website's form. Most of the time, when a cookie does store personal information, this information is coded in such a way that it is unreadable to any third party who happens to access your cookie folder. The only computer that can read and decode the information is the server that created the cookie in the first place.
In addition to encrypting any information stored in cookies, some websites add extra layers of security to browsers' cookie handling processes: store only anonymous but unique content on local cookies; or store personal information on the website's server and make it accessible only by matching with it the anonymous cookie stored on your computer.
See how personal data can be linked to a cookie to produce a customized website experience.
This depends on how a website has set up its cookie feature, but generally the content of a cookie is a randomly generated set of characters. For most purposes a website sending a cookie does not need to know who you are - it just needs to remember that it has seen your browser before (for more information, please go to the manage cookies section.).
Some websites do write personal information about you into a cookie, but this is only possible if you have provided them with the information in the first place. If personal information is stored in a cookie it is usually encrypted - coded - so that any third party who has access to the cookie folder of your browser cannot read it.
Some website servers use a combination of methods: on your browser they may create a cookie with unique but anonymous content; or on the server side they may create a file that logs that unique but anonymous content alongside any personal information that you have provided.
View a demonstration of how personal data linked to a cookie can provide you with personalised content on a web page.
而session机制采用的是一种在客户端与服务器之间保持状态的解决方案。
session是针对每一个用户的,变量的值保存在服务器上,用一个sessionID来区分是哪个用户session变量,这个值是通过用户的浏览器在访问的时候返回给服务器,当客户禁用cookie时,这个值也可能设置为由get来返回给服务器。
就安全性来说:当你访问一个使用session 的站点,同时在自己机子上建立一个cookie,建议在服务器端的SESSION机制更安全些.因为它不会任意读取客户存储的信息。
正统的cookie分发是通过扩展HTTP协议来实现的,服务器通过在HTTP的响应头中加上一行特殊的指示以提示浏览器按照指示生成相应的cookie
从网络服务器观点看所有HTTP请求都独立于先前请求。就是说每一个HTTP响应完全依赖于相应请求中包含的信息
状态管理机制克服了HTTP的一些限制并允许网络客户端及服务器端维护请求间的关系。在这种关系维持的期间叫做会话(session)。
Cookies是服务器在本地机器上存储的小段文本并随每一个请求发送至同一个服务器。
session机制是一种服务器端的机制,服务器使用一种类似于散列表的结构(也可能就是使用散列表)来保存信息。
当程序需要为某个客户端的请求创建一个session的时候,服务器首先检查这个客户端的请求里是否已包含了一个session标识 - 称为 session id,如果已包含一个session id则说明以前已经为此客户端创建过session,服务器就按照session id把这个 session检索出来使用(如果检索不到,可能会新建一个),如果客户端请求不包含session id,则为此客户端创建一个session并且生成一个与此session相关联的session id,session id的值应该是一个既不会重复,又不容易被找到规律以仿造的字符串,这个 session id将被在本次响应中返回给客户端保存。
保存这个session id的方式可以采用cookie,这样在交互过程中浏览器可以自动的按照规则把这个标识发挥给服务器。
由于cookie可以被人为的禁止,必须有其他机制以便在cookie被禁止时仍然能够把session id传递回服务器。经常被使用的一种技术叫做URL重写,就是把session id直接附加在URL路径的后面,附加方式也有两种。
为了在整个交互过程中始终保持状态,就必须在每个客户端可能请求的路径后面都包含这个session id。
另一种技术叫做表单隐藏字段。就是服务器会自动修改表单,添加一个隐藏字段,以便在表单提交时能够把session id传递回服务器。比如下面的表单
<form name="testform" action="/xxx">
<input type="text">
</form>
在被传递给客户端之前将被改写成
<form name="testform" action="/xxx">
<input type="hidden" name="jsessionid" value="ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBng!-145788764">
<input type="text">
</form>
这种技术现在已较少应用,很古老的iPlanet6(SunONE应用服务器的前身)就使用了这种技术。
实际上这种技术可以简单的用对action应用URL重写来代替。
在谈论session机制的时候,常常听到这样一种误解“只要关闭浏览器,session就消失了”。其实可以想象一下会员卡的例子,除非顾客主动对店家提出销卡,否则店家绝对不会轻易删除顾客的资料。对session来说也是一样的,除非程序通知服务器删除一个session,否则服务器会一直保留,程序一般都是在用户做log off的时候发个指令去删除session。然而浏览器从来不会主动在关闭之前通知服务器它将要关闭,因此服务器根本不会有机会知道浏览器已经关闭,之所以会有这种错觉,是大部分session机制都使用会话cookie来保存session id,而关闭浏览器后这个 session id就消失了,再次连接服务器时也就无法找到原来的session。如果服务器设置的cookie被保存到硬盘上,或者使用某种手段改写浏览器发出的HTTP请求头,把原来的session id发送给服务器,则再次打开浏览器仍然能够找到原来的session。
恰恰是由于关闭浏览器不会导致session被删除,迫使服务器为seesion设置了一个失效时间,当距离客户端上一次使用session的时间超过这个失效时间时,服务器就可以认为客户端已经停止了活动,才会把session删除以节省存储空间。
在一些投票之类的场合,我们往往因为公平的原则要求每人只能投一票,在一些WEB开发中也有类似的情况,这时候我们通常会使用COOKIE来实现,例如如下的代码:
< % cookie[]cookies = request.getCookies();
if (cookies.lenght == 0 || cookies == null)
doStuffForNewbie();
//没有访问过
}
else
{
doStuffForReturnVisitor(); //已经访问过了
}
% >
这是很浅显易懂的道理,检测COOKIE的存在,如果存在说明已经运行过写入COOKIE的代码了,然而运行以上的代码后,无论何时结果都是执行doStuffForReturnVisitor(),通过控制面板-Internet选项-设置-察看文件却始终看不到生成的cookie文件,奇怪,代码明明没有问题,不过既然有cookie,那就显示出来看看。
cookie[]cookies = request.getCookies();
if (cookies.lenght == 0 || cookies == null)
out.println("Has not visited this website");
}
else
{
for (int i = 0; i < cookie.length; i++)
{
out.println("cookie name:" + cookies[i].getName() + "cookie value:" +
cookie[i].getValue());
}
}
运行结果:
cookie name:JSESSIONID cookie value:KWJHUG6JJM65HS2K6 为什么会有cookie呢,大家都知道,http是无状态的协议,客户每次读取web页面时,服务器都打开新的会话,而且服务器也不会自动维护客户的上下文信息,那么要怎么才能实现网上商店中的购物车呢,session就是一种保存上下文信息的机制,它是针对每一个用户的,变量的值保存在服务器端,通过SessionID来区分不同的客户,session是以cookie或URL重写为基础的,默认使用cookie来实现,系统会创造一个名为JSESSIONID的输出cookie,我们叫做session cookie,以区别persistent cookies,也就是我们通常所说的cookie,注意session cookie是存储于浏览器内存中的,并不是写到硬盘上的,这也就是我们刚才看到的JSESSIONID,我们通常情是看不到JSESSIONID的,但是当我们把浏览器的cookie禁止后,web服务器会采用URL重写的方式传递Sessionid,我们就可以在地址栏看到sessionid=KWJHUG6JJM65HS2K6之类的字符串。
明白了原理,我们就可以很容易的分辨出persistent cookies和session cookie的区别了,网上那些关于两者安全性的讨论也就一目了然了,session cookie针对某一次会话而言,会话结束session cookie也就随着消失了,而persistent cookie只是存在于客户端硬盘上的一段文本(通常是加密的),而且可能会遭到cookie欺骗以及针对cookie的跨站脚本攻击,自然不如session cookie安全了。
通常session cookie是不能跨窗口使用的,当你新开了一个浏览器窗口进入相同页面时,系统会赋予你一个新的sessionid,这样我们信息共享的目的就达不到了,此时我们可以先把sessionid保存在persistent cookie中,然后在新窗口中读出来,就可以得到上一个窗口SessionID了,这样通过session cookie和persistent cookie的结合我们就实现了跨窗口的session tracking(会话跟踪)。
在一些web开发的书中,往往只是简单的把Session和cookie作为两种并列的http传送信息的方式,session cookies位于服务器端,persistent cookie位于客户端,可是session又是以cookie为基础的,明白的两者之间的联系和区别,我们就不难选择合适的技术来开发web service了。
