Whether it’s a web application or a native app application, as long as it involves network connection, it’s basically inseparable from login registration. After we sign in, this state will be maintained. The next time we open the app, the application will already be in the login state. We don’t need to repeat the login. It’s very user-friendly. It feels like the server will “remember” each of us. You’ve been here, you’re no longer required to log in. But in fact, the computer is very stupid in this respect. He doesn’t “remember” US spontaneously. This article will talk about how to maintain the login state.
To understand the following, we need to understand the HTTP protocol first, and the tedious concepts will not be described in detail. Here is the main point._HTTP protocol is stateless_What is statelessness? Let’s start with a story:
You go to a fruit shop to buy fruit, you see their peaches are very delicious, so you praise the boss’s peaches and buy a Jin. You went home and tasted the peaches. They were so delicious that you decided to buy them the next day. When you came to the boss the next day happily and said, “your fruit is really delicious. Give me another Jin of the fruit I bought yesterday.” but you found that the boss didn’t know what you bought yesterday, so you were very angry and said to the boss, “I boasted about your fruit for a long time yesterday. Why don’t you remember?” After a theory, you find that the boss still doesn’t remember what you did yesterday. At last, you have to show the boss that you want to buy a jin of peaches and leave in a disheartened way after the transaction.
The boss in this story is stateless. For him, he only knows what someone wants to buy, how much money he has given, what fruit he wants to buy and how much money he needs to find. For other information in the process, such as “who” to buy, he will not remember, he will only deal with the business itself.
Why is HTTP stateless?
- First of all, what is statelessness?
Stateless means that each request will not directly affect each other. For each request, the same request parameters will get the same result.
- Back to the HTTP protocol:
The initial requirement is to request the HTML interface to display the static web site, which is not as complex and rich as it is now. The user A clicks on a web site to browse the page and the user B click the same web address to browse the page is exactly the same, that is, the server will not have special treatment for each different person, the server is only responsible for the request, not the person who initiates the request. Therefore, in HTTP design, each request is independent, and each request contains all the data of the request. The server only processes the request and the information carried in the request and returns specific results. Just like the fruit shop above, the boss only deals with what fruit he wants to buy, how much fruit he gives, and how much money he gives. If you tell him how you talked with him yesterday, he is indifferent, because he can’t remember these things at all, he doesn’t remember you ever come.
How does HTTP save the login status?
As mentioned earlier, HTTP is stateless, and each request does not directly affect each other.
When IFirst call to user name password verification interfaceWhen I need to enter the account and password, the server will go to the database according to the account to take your password and compare it with the password you entered, and then return a “correct password” or “wrong password”. And the problem is when IAccess this interface for the second timeThe server will still perform its functions: receive the account and password I sent, and then go to the database to get the data for comparison and return the comparison results. For the server,Each request just makes a judgment like whether 1 + 1 is equal to 2 and then returns the result.。
I want the server to be able to remember that I have called the login interface once and have succeeded in this state. What should I do?
It’s natural for us to think that the reason why the server didn’t know we were logged in was because we didn’twrite down, to keep the login status, just let the server write it down. We can set a special storage in the server. Every time I verify the account and password successfully, I will save “jabingp login success” (this jabingp is the user name) in the storage, so that our server will remember that jabingp has logged in.
Now the server knows that jabingp has logged in, but is that enough? Not enough, because the HTTP request does not automatically indicate “this is the request initiated by jabingp”, so we need to do some work to let the server know “this is the request initiated by jabingp”, and then the server can find the sign “jabingp login succeeded” in the stored login status. How do you do it? When we call the request, we can add our user name to the request parameters, such as the URL parameter of get request and the request body of post request, so that the server can judge whether we have logged in or not according to our user name.
In this way, we initially saved the login status. In fact, such verification is very rough, so based on this idea, the following technologies are generated.
What is cookie?
There are many brands of cookies, such as blue can, Guangzhou Restaurant… What? Oh, sorry, I made a mistake. This is the cookie: a cookie is a small piece of data stored in the client. It can be stored in the hard disk (permanent cookie) or memory (temporary cookie).
What is session?
Session refers to a unique storage space opened by the server for a session (session refers to the process of communication between an end user and an interactive system, for example, I log in first, and then view my mailbox content, which is a session). A session corresponds to a storage space with a unique session ID.
How are cookies and sessions used?
First of all, conceptually, cookies and sessions are used to store things. The question is what are they used to store and what do they do?
Combined with the previous analysis:
- The emergence of cookies replaces the step of setting the identification manually, because we can set the identification in the cookie. After setting the cookie, the cookie will exist, and the next request cookie will be sent to the server automatically, so we don’t need to manually set an identification for each request (such as the user name in the previous analysis).
- Session actually replaces the steps of storing state on the server. The session ID can correspond to a storage space, which is unique to each session (for example, after I log in, a session will be generated, and a storage space will be generated, which is only used by my current activities in the login state, but not by others). This can ensure that Ensure that each login state has a corresponding small storage space to write some intermediate process data.
Cookie session relationship?
This is almost the end of a brief introduction to cookies and sessions and the maintenance of login status. The above are all personal understandings, which are used for personal learning records. If there are errors, please comment and correct them!