Say session first
For the controversy of sessions, it has not stopped, but what can I understand the session should account for more than 90.
But still talk, don't be old ~
Some people are in favor of using sessions, some people do not agree. But what should I say this issue. Listen to my opinion
If there is an error, please don't lose things, except gold bars and coins.
Some people should know that I am doing a rivers and lake programs, and the rivers and lake procedures are in the efficiency, but they don't talk about design.
From some more practical perspectives.
First of all, let's say that session is doing, and session is a stored IE for a user and through it.
Any window opened by the front window has a targeted user information storage mechanism. Why do you say this. Look down on
First study how the session started, when the website will be opened after the IE will browse the website, send a directive request sessionID
And download licenses for individual types, such as pictures, sounds, and flash.
Data Real Transfer Content: IE to Server
Get / http / 1.1
Accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, application / x-shockwave-flash, * / *
Accept-language0: zh-cn
Accept-encoding: Gzip, deflate
User-agent: mozilla / 4.0 (compatible; msie 5.01; windows NT 5.0)
Host: www.jh521.com
Connection: Keep-alive
The server will return a sessionID that is not used, let IE use, when IE is returned to sessionID
Also return to the download data of the relevant page, as follows: Server to IE
HTTP / 1.1 200 ok
Server: Microsoft-IIS / 5.0
Date: Sun, 30 Nov 2003 16:41:51 GMT
Content-Length: 21174..content-type: Text / HTML
Set-cookie: aspsessionidcacbbbbit = ibomfonaojfeebhbpienjffc; path = /
Cache-Control: Private
Then it is the page HTML code
At this time, the sessionid of this IE program (not a client) is Ibomfonaojfeebhbpienjffc.
And when IE is accessing an ASP program of any this site, IbomfonaojfeeBhbpienjffc is sent
Give the server, the server will know that IbomfonaojfeeBhbpienjffc means you
And set session ("name") on the server = "name"
It can be seen at all
Session ("Ibomfonaojfeebhbpienjffc") ("name") = "name"
or
Session ("Name") = "name"
In this way, the session disadvantages the user.
When the server feeds back this ID, it will see this ID is not used. If there is a change
Anyway, you will not let you repeat. If you want to simulate someone's session ID, it is ok. But to get
The other party IE transmitted signal and may be implemented if the sessionID is not canceled at the time.
However, I have to find him Name and Pass directly through the POST signal. I can't expect this.
I want someone to understand how SessionID works.
So just look at cookie, some people say that sessionid is cookie, and they don't belong to the same kind according to the technology.
But it belongs to a working mode, user, and server transfer private data. When I set up cookies, the server will feed back to IE one instruction. IE generates cookies through this network instruction
Store, this information will be obtained when this information is accessed and the cookid is valid.
So why don't you use cookies without session?
See the difference
Effective time and storage mode transfer content
Cookie sets and reserves the clear information locally
Session does not close in IE and only sessionid
When you want to let the user you need to enter the user name or password, you can only use cookies.
Because he can keep a considerable amount of time (before the cookie record is deleted or the date of failure)
And sessions can't, he will not keep too long, and IE automatically clears sessionID records after closing.
Will request new sessionID when you log in?
When the server wants to verify the state of the user through the user's personal variable, you can't use cookies.
If you use the setting user permissions being user. When I accessed, the User's bright code is transmitted to the server.
So if I pass a certain means, for example, directly modify the cookie record, modify the user to admin ~~
Just trouble.
But store the username and password or the information of the color scheme of the website, using cookie is the best
Ok, I am a bit tired, talk about this thing.
Request.ServerVariables ("http_referer")
I think some people pass this request.servervariables ("http_referer")
To make some key limitations, especially dealing with remote submission and illegal intrusion.
Then I will remind the HTTP_REFERER information acquired by the server is completely IE transfer to the server, and can simulate
And the difficulty is not large, and you can use VB to make an HTTP_REFERER intrusion program in less than half an hour.
(Unfortunately, I originally didn't worry about it, do the web game hang up program.)
