Who should I read this article?
If you are interested in the following questions but can't answer, you should read this article.
What is thesession?
2. What is it in Cookie?
3. Is it true if it is completely disabled?
4. Why don't you log in again after logging in again?
Is the session in 5.ASP rely on cookies?
6. Is the session in JSP relies on cookies?
What is the session in 7.ASP.NET?
The following will describe the maintenance of the session state. After reading it, you should be able to answer the few questions above.
1.Session and cookie origin
Here I don't distinguish cookie and cookies, just a plural form. We all know that http is a stateless agreement, that is, each request is separated, the server does not know if the request is the same person, if our content It is completely open, that is, all content can be seen (such as Sina's news), this situation does not necessarily know that the two requests are the same. But most of us don't want this, we hope only The member can be accessed after login (all forums are almost like this). And others do not allow them to ask, so I want to know that each request is not the same person, this is a session, which is a session, and this session is Based on the cookie, cookie is the most proposed, also called a small cookie.
The server side maintains a session for each request, and has a unique sessionid. If the client does not disable the cookie, the customer will write to the client's hard disk (do not believe in the folder C : / Documents and settings / username / local settings / tempting the cookie file under the Internet file is a text file). After each request, you will add this ID value, the server can know if it is the same request. If you still don't believe, you can do this test:
1. Select a website you want to log in with your username (preferably ASP, such as a forum).
2. Log in normally, determine if you can log in, then turn your browser)
3. Select the Internet Option (IE Properties page), select the Hide tab, and adjust the setting to the highest, determine.
4. Re-open IE, log in to the site you just logged in, how to pay attention to it.
2. Dating and cookie relationship
There are only two ways to maintain the status of the session.
The first: cookie, the most common, more than 95% of the session is the credit of cookies.
The second: URL rewrite, attached the sessionID to the URL, the JSP is implemented but not much.
If you have used Session, you may be strange: we usually maintain a session with sessions, how is it?
The answer is very simple: the above is all ways. Session is our purpose. In a word, the relationship between session and cookies: cookie is the most common way to maintain Session.
3. Acudie's expiration and session timeout
You can set up your cookie's expiration (it is actually setting it for you), if you set it up,
You don't have to log in again later. If this machine can set it with you alone, otherwise
It is best not to set this. If you have no response for a long time, there is no new request, and session is likely.
Expiration, you may encounter such a situation: obviously logged in, after a while, I said that I didn't log in.
Tips Re-login. Just because the session expires, the server can set an expired time.
4. Disable cookies how to implement session
What will happen if the client is completely disabled?
For ASP, the session cannot be tracked, that is, each request is a new request.
For JSP, you can implement a session by overwriting the URL, session.Encodeurl (String Path)
Session.EncodeURL ("index.jsp") = index.jsp; jsessionID = 431d980051204fc8dc3
BF75840F7AF71
It can be seen that the SESSIONID behind is not included in querystring (after?
For ASP.NET also supports overwriting URLs, learning JSP, but JSP is not all WebServer supports rewriting url5.queryString and HiddenForm
You may think they can also maintain a session, but in fact, they can only pass parameters. However, the server event model in ASP.NET uses Hidden to represent the viewState of the control (this is also ASP.NET than ASP, JSP, is a new technology)
Why can they only pass parameters and can not implement sessions? The process is like this:
The server receives a request. If you don't get sessionID, you will generate a new session. Maybe you think this can keep the session URL? SessionID = 234234234234.
This is a misunderstanding because the server is already in a new session, but only the ID number of the last session can be obtained.
6. The difference between QueryString and HiddenForm
QueryString is behind? QueryString. General browser limits URL to 255 characters, so there is no way to pass a lot of data, the method must be get.hiddenform is form data, the method can be GET or POST (general purpose) POST)
7. Misunderstanding
I saw someone built a session on their web server, and then link to someone else's programs so that they crossed. Thesession is only valid in the same application, so this idea is futile, but if you are The program is in the same application (such as some personal homepage spaces) can do this.
8. Question out
With the cookie attack, after the client is completely disabled, each request server will generate a session. If the conversation timeout is 15 minutes, we have a lot of requests that keep the cookie's method within 15 minutes to make a lot of requests. Session, implement DOS attacks (provided a large number of requests and server do not filter)
