DWQA QuestionsCategory: ProgramWhy do cookies, sessions and tokens appear?
_Octocat asked 1 month ago

What is the essential difference between a cookie and a session? Why does token appear?,A reply is a request and response around a related matter, in which a certain amount of data transmission is required, that is, the reply status tracking is required.However, HTTP protocol is a stateless protocol, which can not transfer data between different requests. Hence the birth of cookiesCookies are used to record the status of the browser and server. After submitting a request, the server produces cookies and encapsulates them into the response hair to the client. The client receives the cookies and saves them into the client. When the client sends a similar request again, it will carry the saved cookie, and then the server will track itBut cookies are not perfect. Cookies are too large and can be modified at the front and back ends, and the data is easy to be tampered and forged. In order to solve the problem of cookie sensitive data, seesion came into being. Session data is only kept on the server side.For a session, the server is stateful. When deploying services in a distributed manner, you need to share the state between servers. You can’t let the server log in repeatedly. Token solves this problem. Token is also called token. It saves the state on the client and uses encryption algorithm to ensure securityhttps://www.zhihu.com/questio…,There is a fire pulse in Huangfeng valley. All immortals can refine pills without any restrictions. The only restrictions are the capacity of fire pulse and the number of immortals who refine pills at the same time. This is the original http.Later, a group of immortals took Huang Fenggu as their own and established a sect. It was stipulated that only registered disciples of the sect could use it, and then internal and external disciples were assigned different levels of alchemy rooms, which was user authentication.
Casual practitioners can only eat leftovers from disciples outside. This is an anonymous user.The alchemy room administrator found that it was too troublesome to go to the Sutra pavilion to check the roster every time a disciple came or entered temporarily. After the first verification, he gave the disciple a waist token with the disciple’s name and appearance. The next time he entered, he didn’t have to check the roster to facilitate entry and exit. Generally, an effective time will be added to this brand to prevent someone from changing the waist card. This is a cookie.Later, some casual practitioners learned to forge waist cards and often got involved. The alchemy room administrator had to improve his authentication method. After checking the roster, he no longer issued waist tags to the disciples, but changed it into a rune paper with special lines. The disciples’ names and looks were recorded on another Rune paper with the same lines and kept by the administrator himself. In the future, when disciples go in and out, he just needs to compare the rune paper. This is session.Later, a disciple surnamed Han improved the Jidan square, and the output of Jidan increased sharply. The alchemy room began to sell Chengdan, which attracted many disciples to buy it. The other five sects who made friends with Huang Fenggu were greedy and jointly forced Huang Fenggu to sell the three layers of annual output to other sects’ disciples.
The workload of alchemy room management increased sharply. He wanted to make a pair of runes for each Dan buyer, even if many of them just came to play and stay soon. There are also expatriate disciples. It is troublesome to verify their information. The steward worked hard and invented a new method to combine waist token and Fu Lu. First, he sealed the information of the disciples of the six sects inside, and then painted it as Fu Lu with his own original breath, which became an outer seal. He called this kind of thing token.After the token is sent through formal channels, there is no need to care about anything. In the future, someone will buy the pill with the token, and draw a rune according to the immortal information inside. If it doesn’t match the seal on the outer layer, the token is forged.Of course, later, a Xiuxian surnamed Han robbed and cracked many such tokens by virtue of his powerful divine knowledge. This is what will be said later.,Cookie: stored in the client, that is, the browser, and has a size limit
Session: it is stored on the server side and has no size limit
However, the above two will have cross domain restrictions
The emergence of token is to solve the problem of cross domain. The authentication information is encrypted and placed in the header,I don’t quite agree with what’s said upstairs

  1. Cookies are also stored in the header. Although there may be cross domain problems, cross domain negotiation can be allowed by adding header negotiation
  2. Session is the server side. It is associated through the sessionid in the cookie. What is the cross domain concept
  3. If the token is placed in the header, there will still be cross domain problems. Do you still need toallow headerTo solve

Token is generally used in two ways:

  1. Like the cookie mechanism, the server does not use the session mechanism and implements the data storage of token – > data by itself. The advantage is that it is lighter than Cookie / session (but the cost of lightness is less functions and non-standard interfaces)
  2. JWT is a pure front-end storage. The token contains complete authentication information. It is stateless for the server and there is no pressure on the server

To sum up, stateless tokens are meaningful, but the server is not controllable; Stateful tokens have only one lightweight advantage

4 Answers
twqabc answered 1 month ago

A reply is a request and response around a related matter, in which a certain amount of data transmission is required, that is, the reply status tracking is required.However, HTTP protocol is a stateless protocol, which can not transfer data between different requests. Hence the birth of cookiesCookies are used to record the status of the browser and server. After submitting a request, the server produces cookies and encapsulates them into the response hair to the client. The client receives the cookies and saves them into the client. When the client sends a similar request again, it will carry the saved cookie, and then the server will track itBut cookies are not perfect. Cookies are too large and can be modified at the front and back ends, and the data is easy to be tampered and forged. In order to solve the problem of cookie sensitive data, seesion came into being. Session data is only kept on the server side.For a session, the server is stateful. When deploying services in a distributed manner, you need to share the state between servers. You can’t let the server log in repeatedly. Token solves this problem. Token is also called token. It saves the state on the client and uses encryption algorithm to ensure securityhttps://www.zhihu.com/questio…

_Octocat replied 1 month ago

Thank you. It’s your point~

CPALyth replied 1 month ago

In addition, the problem of distributed memory sharing of session can be solved by saving data to redis and using redis master-slave synchronization. However, this method requires redis to persist. Generally speaking, it is expensive and it is simpler to use tokenToken is actually very similar to a cookie, but the third part is the hash value of the first two parts. As long as you change it, the server will know when checking the token, so as to avoid data tampering, which cannot be done by a cookie

liunux answered 1 month ago

There is a fire pulse in Huangfeng valley. All immortals can refine pills without any restrictions. The only restrictions are the capacity of fire pulse and the number of immortals who refine pills at the same time. This is the original http.Later, a group of immortals took Huang Fenggu as their own and established a sect. It was stipulated that only registered disciples of the sect could use it, and then internal and external disciples were assigned different levels of alchemy rooms, which was user authentication.
Casual practitioners can only eat leftovers from disciples outside. This is an anonymous user.The alchemy room administrator found that it was too troublesome to go to the Sutra pavilion to check the roster every time a disciple came or entered temporarily. After the first verification, he gave the disciple a waist token with the disciple’s name and appearance. The next time he entered, he didn’t have to check the roster to facilitate entry and exit. Generally, an effective time will be added to this brand to prevent someone from changing the waist card. This is a cookie.Later, some casual practitioners learned to forge waist cards and often got involved. The alchemy room administrator had to improve his authentication method. After checking the roster, he no longer issued waist tags to the disciples, but changed it into a rune paper with special lines. The disciples’ names and looks were recorded on another Rune paper with the same lines and kept by the administrator himself. In the future, when disciples go in and out, he just needs to compare the rune paper. This is session.Later, a disciple surnamed Han improved the Jidan square, and the output of Jidan increased sharply. The alchemy room began to sell Chengdan, which attracted many disciples to buy it. The other five sects who made friends with Huang Fenggu were greedy and jointly forced Huang Fenggu to sell the three layers of annual output to other sects’ disciples.
The workload of alchemy room management increased sharply. He wanted to make a pair of runes for each Dan buyer, even if many of them just came to play and stay soon. There are also expatriate disciples. It is troublesome to verify their information. The steward worked hard and invented a new method to combine waist token and Fu Lu. First, he sealed the information of the disciples of the six sects inside, and then painted it as Fu Lu with his own original breath, which became an outer seal. He called this kind of thing token.After the token is sent through formal channels, there is no need to care about anything. In the future, someone will buy the pill with the token, and draw a rune according to the immortal information inside. If it doesn’t match the seal on the outer layer, the token is forged.Of course, later, a Xiuxian surnamed Han robbed and cracked many such tokens by virtue of his powerful divine knowledge. This is what will be said later.

liunux replied 1 month ago

Sending overseas disciples to buy pills is cross domain

leyioliu replied 1 month ago

Xiuer, is that you

Sacred wind replied 1 month ago

How to understand cross domain?

liunux replied 1 month ago

Salute from below:)

Hua Xian replied 1 month ago

Kill and set fire to Li Feiyu, and thousands of people admire Han Tianzun

_Octocat replied 1 month ago

tql!

Zhu Xiaoyu answered 1 month ago

Cookie: stored in the client, that is, the browser, and has a size limit
Session: it is stored on the server side and has no size limit
However, the above two will have cross domain restrictions
The emergence of token is to solve the problem of cross domain. The authentication information is encrypted and placed in the header

unreality answered 1 month ago

I don’t quite agree with what’s said upstairs

  1. Cookies are also stored in the header. Although there may be cross domain problems, cross domain negotiation can be allowed by adding header negotiation
  2. Session is the server side. It is associated through the sessionid in the cookie. What is the cross domain concept
  3. If the token is placed in the header, there will still be cross domain problems. Do you still need toallow headerTo solve

Token is generally used in two ways:

  1. Like the cookie mechanism, the server does not use the session mechanism and implements the data storage of token – > data by itself. The advantage is that it is lighter than Cookie / session (but the cost of lightness is less functions and non-standard interfaces)
  2. JWT is a pure front-end storage. The token contains complete authentication information. It is stateless for the server and there is no pressure on the server

To sum up, stateless tokens are meaningful, but the server is not controllable; Stateful tokens have only one lightweight advantage