什么是Cookie和会话，它们之间如何关联? [英] What are cookies and sessions, and how do they relate to each other?

问题描述

我正在尝试专业地了解Cookie和会话. 我知道，当浏览器连接到服务器时，服务器会询问"浏览器以在客户端浏览器的cookie文件夹中粘贴"具有"phpsessid"的cookie.

I am trying to understand cookies and sessions professionally. I know that when a browser connects to a server, the server "asks" the browser to "paste" a cookie with "phpsessid" in the client browser cookies folder.

现在我们有了"phpsessid"，如果客户端进入服务器，浏览器将向服务器发送"phpsessid"，服务器将查看tmp文件夹，如果有匹配项，它将加载回所有数据.用户已经为此客户使用了，但是我对此过程感到困惑.

Now that we have the "phpsessid", if the client enters the server the browser sends to the server the "phpsessid" and the server takes a look at the tmp folder and if we have a match it loads back every data the user has for this client, but I am kinda confused with the process.

如果有人可以帮助我理解创建会话和cookie的过程-幕后发生的事情，我将不胜感激.

I will be thankful if some one can help me understand those processes of creating a session and cookies - what is happening behind the scenes.

推荐答案

我们来看一下:

Cookies 和 会话 都是在不同应用程序之间保留应用程序状态的两种方法请求浏览器制作.多亏了他们，例如，您不需要每次在 StackOverflow 上请求页面时都登录

Cookies and sessions are both ways to preserve the application's state between different requests the browser makes. It's thanks to them that, for instance, you don't need to log in every time you request a page on StackOverflow.

Cookie是数据的一小部分(最大4KB长)，它们将数据存储在键值对中:

Cookies are small bits of data, (maximum of 4KB long), which hold data in a key=value pairs:

name=value; name2=value2

这些设置由 JavaScript设置 ，或通过服务器使用

These are set either by JavaScript, or via the server using an HTTP header.

Cookie设置了到期日期时间，例如使用HTTP标头:

Cookies have an expiry datetime set, example using HTTP headers:

Set-Cookie: name2=value2; Expires=Wed, 19 Jun 2021 10:18:14 GMT

这将导致浏览器设置一个名为name2的cookie，其值为value2，该cookie将在大约9年后失效.

Which would cause the browser to set a cookie named name2 with a value of value2, which would expire in about 9 years.

Cookie被视为高度不安全，因为用户可以轻松地操纵其内容.因此，您应该始终验证Cookie数据.不要以为从Cookie获得的东西一定就是您期望的东西.

Cookies are considered highly insecure because the user can easily manipulate their content. That's why you should always validate cookie data. Don't assume what you get from a cookie is necessarily what you expect.

Cookie通常用于保留登录状态，从浏览器发送用户名和特殊哈希，然后服务器根据数据库检查它们以批准访问.

Cookies are usually used to preserve login state, where a username and a special hash are sent from the browser, and the server checks them against the database to approve access.

Cookie还经常用于创建会话.

Cookies are also often used in sessions creation.

会话略有不同.每个用户都有一个会话ID ，该ID通过 cookie 或 GET变量发送回服务器进行验证.

Sessions are slightly different. Each user gets a session ID, which is sent back to the server for validation either by cookie or by GET variable.

会话通常是短暂的，这使其成为保存应用程序之间的临时状态的理想选择.用户关闭浏览器后，会话也会过期.

Sessions are usually short-lived, which makes them ideal in saving temporary state between applications. Sessions also expire once the user closes the browser.

会话被认为比cookie更安全，因为变量本身保存在服务器中.运作方式如下:

Sessions are considered more secure than cookies because the variables themselves are kept on the server. Here's how it works:

1. 服务器打开一个会话(通过HTTP标头设置cookie)
2. 服务器设置会话变量.
3. 客户更改页面
4. 客户端发送所有cookie，以及步骤1中的会话ID.
5. 服务器从cookie读取会话ID.
6. 服务器匹配数据库(或内存等)列表中的会话ID.
7. 服务器找到一个匹配项，读取$_SESSION超全局变量中现在可用的变量.

1. Server opens a session (sets a cookie via HTTP header)
2. Server sets a session variable.
3. Client changes page
4. Client sends all cookies, along with the session ID from step 1.
5. Server reads session ID from cookie.
6. Server matches session ID from a list in a database (or memory etc).
7. Server finds a match, reads variables which are now available on $_SESSION superglobal.

如果PHP找不到匹配项，它将启动一个新会话，并重复1-7的步骤.

If PHP does not find a match, it will start a new session, and repeat the steps from 1-7.

您可以在会话中存储敏感信息，因为敏感信息保存在服务器上，但是请注意，如果用户通过不安全的WiFi登录，则会话ID仍然会被盗. (攻击者可以嗅探cookie，并将其设置为自己的cookie，他不会看到变量本身，但是服务器会将攻击者标识为用户).

You can store sensitive information on a session because it is kept on the server, but be aware that the session ID can still be stolen if the user, let's say, logged in over an insecure WiFi. (An attacker can sniff the cookies, and set it as its own, he won't see the variables themselves, but the server will identify the attacker as the user).

这就是要点.您可以在这两个主题的PHP手册中了解更多信息.

That's the gist of it. You can learn more on the PHP manual on both subjects.

这篇关于什么是Cookie和会话，它们之间如何关联?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！