The difference between cookies and session and JWT

Catalog

Session What is it? ？

Session How to judge whether it is the same conversation ？

 Session The shortcomings of

Session Several cases of failure

Cookie What is it? ？

Cookie Main uses

establish Cookie

Cookie and Seesion Comparison of

Session Cookies What is it? ？

What is? Json Web Tokens？

JWT purpose

JSON Web Token and Session Cookies Comparison of

Ban Cookies, How to use Session？

      First ,HTTP It's a kind of A stateless agreement , That is, every time the server receives a request from the client , It's all a new request , The server does not know the history request of the client , This will consume a lot of resources , Every operation requires verification information .Session and Cookie The main purpose is to make up for HTTP Stateless characteristics of .

Session What is it? ？

        The client requests the server , The server will open up a memory space for this request , This object is Session object , The storage structure is ConcurrentHashMap.Session Make up for HTTP Stateless characteristic , Servers can take advantage of Session Store some operation records of the client during the same session .

Session How to judge whether it is the same conversation ？

        The first time the server receives a request , Will open up establish Session object （ Open up space ）, Generate a sessionId, And send a response to the client through the response header Cookie; After the client receives the response , Set a... On the local client Cookie Information , The Cookie Expires at the end of the browser session . Next, every time the client sends a request to the same website , The request header will carry this Cookie Information , Get the sessionId.

 Session The shortcomings of

such as ：A The server stores Sessin, Load balancing , If for a while A The number of visits will be , It will be forwarded to B Visit , however B The server has no storage A Of session, It can lead to Session The failure of .

solve ： Generally, user login information is stored in a third party , Database , Or is it redis, In this way, it doesn't matter if you hang up a server , Or only one server is left , It will not affect the normal operation of users .（ There is still a slight impact ）

Session Several cases of failure

1. The set timeout has been exceeded

2. Active call invalidate Method

3. The server shuts down actively or abnormally

Cookie What is it? ？

       HTTP In the agreement Cookie Include Web Cookie and browser Cookie, It is sent by the server to web A small piece of browser data . Server sent to browser Cookie, The browser will store , And send it to the server with the next request . Usually , It is used to determine whether two requests come from the same browser , For example, users stay logged in .

Cookie Main uses

session management ： Sign in 、 The shopping cart 、 Game scores, etc

Individualization ： User preferences 、 Theme or other settings

track ： Record and analyze user behavior

Every time Cookies Will be sent with the request , They may degrade performance .

establish Cookie

        When receiving the HTTP When asked , The server can send Set-Cookie Header for ,Cookie Usually stored by a browser , then Cookie And HTTP Send a request to the server together with the header .

Set-Cookie and Cookie header

Set-Cookie HTTP The response header will cookie Send from server to user agent .

With every new request to the server , The browser will use Cookie The head will store all the previous Cookie Send to the server .

Session Cookies： conversation Cookie：Cookie The expiration date is not included , When the browser is closed ,Cookie Will be lost forever .

Persistent Cookies： persistence Cookie, Including validity period , Delete from disk after expiration .

Cookie and Seesion Comparison of

The same thing ： Are used to track the identity of the browser user's session

Session Cookies What is it? ？

conversation Cookies： The user login status will be saved in the memory of the server , When logging in with ,Session It is created safely by the server .

At every request , The server has sessions Cookie Read sessionId, If the server-side data and read SessionId identical , Then the server sends the response to the browser , Allow users to log in .

What is? Json Web Tokens？

Json Web Tokens Referred to as JWT, It can be called json token . It's through RFC 7519 For security purposes as defined in Json A form of object transfer .JWT The information stored in is all through digital signature Of , So it can be trusted and understood .

JWT purpose

Authentication and information exchange

authentication ： Once the user logs in , Each of the following requests will contain JWT, This allows for access to the routes allowed by the token 、 Services and resources . Single sign on is It is widely used nowadays JWT A feature of , It's a small expense .

Information switching ：JWT It's a way to transmit information safely . By using the public key / Private key pair JWT Do signature verification . Besides , Because the signature is used head and Payload Calculated , So it's OK Verify whether the content has been tampered .

JSON Web Token and Session Cookies Comparison of

The same thing ： It can support you to send different page requests , And a mechanism to verify your login status .

Can authenticate users , It can also be used to authenticate when users click to enter different pages and log in to websites or applications . It is used to switch between different pages , The mechanism for saving user login information .

Difference ：

Both provide secure user authentication .

Password signature ：JWT Encrypted signature , and Session Cookies No,

JSON It's stateless ：JWT It's stateless , Store on client . Authentication can be done locally , Not when the request must be made through the server database or a similar location . Users can be authenticated multiple times , Without having to communicate with the database of a site or application , No need to consume a lot of resources .Session Cookies Stored in server memory

Extensibility ：JSON It's stateless , It can save a lot of server resources .

JWT Support cross domain authentication ：Session Cookies It can only work in the domain of a single node or its sub domain . If they try to access through the third node , Will be banned . and JWT It can authenticate users through multiple nodes .

Ban Cookies, How to use Session？

If disabled Cookies, The server will still sessionid With Cookie Send it to the browser , however , The browser will no longer save this Cookie（sessionid） 了 .

If you want to keep using , Need to adopt URL Rewrite the way to achieve .