localStorage,sessionStorage,session和cookies有什么区别? [英] What is the difference between localStorage, sessionStorage, session and cookies?
问题描述
localStorage,sessionStorage,session和cookies的技术优点和缺点,以及何时使用其中之一?
What are the technical pros and cons of localStorage, sessionStorage, session and cookies, and when would I use one over the other?
推荐答案
这是一个非常广泛的范围问题,很多优点/缺点将与情境相关。
This is an extremely broad scope question, and a lot of the pros/cons will be contextual to the situation.
在所有情况下,这些存储机制将特定于个人计算机/设备上的单个浏览器。任何跨会话存储数据的需求都需要涉及应用程序服务器端 - 最有可能使用数据库,但可能是XML或文本/ CSV文件。
In all cases these storage mechanisms will be specific to an individual browser on an individual computer/device. Any requirement to store data on an ongoing basis across sessions will need to involve your application server side - most likely using a database, but possibly XML or a text/CSV file.
localStorage,sessionStorage和cookies都是客户端存储解决方案。会话数据保存在您直接控制的服务器上。
localStorage, sessionStorage and cookies are all client storage solutions. Session data is held on the server where it remains under your direct control.
localStorage sessionStorage是相对较新的API(意味着不是所有的传统浏览器都支持它们),并且几乎相同(在API和能力上),唯一的例外是持久性。 sessionStorage(顾名思义)仅在浏览器会话期间可用(并且在窗口关闭时删除) - 但它仍然存在页面重新加载(源 DOM存储指南 - Mozilla开发人员网络)。
localStorage and sessionStorage are relatively new APIs (meaning not all legacy browsers will support them) and are near identical (both in APIs and capabilities) with the sole exception of persistence. sessionStorage (as the name suggests) is only available for the duration of the browser session (and is deleted when the window is closed) - it does however survive page reloads (source DOM Storage guide - Mozilla Developer Network).
您存储的数据需要持续可用,然后localStorage优于会话存储 - 虽然您应该注意,两者都可以由用户清除,因此您不应该依赖在这两种情况下数据的持续存在。
Clearly, if the data you are storing needs to be available on an ongoing basis then localStorage is preferable to sessionStorage - although you should note both can be cleared by the user so you should not rely on the continuing existence of data in either case.
localStorage和sessionStorage非常适合在页面之间持久保存客户端脚本中需要的非敏感数据(例如:首选项,游戏中的分数)。存储在localStorage和sessionStorage中的数据可以从客户端/浏览器中轻松读取或更改,因此不应依赖于在应用程序中存储敏感或安全相关的数据。
localStorage and sessionStorage are perfect for persisting non-sensitive data needed within client scripts between pages (for example: preferences, scores in games). The data stored in localStorage and sessionStorage can easily be read or changed from within the client/browser so should not be relied upon for storage of sensitive or security related data within applications.
这也适用于Cookie,这些可能被用户轻易篡改,也可以从纯文本中读取 - 所以如果你想要存储敏感数据,那么会话是真正你唯一的选择。如果您不使用SSL,Cookie信息也可能在传输中被拦截,特别是在打开的WiFi上。
This is also true for cookies, these can be trivially tampered with by the user, and data can also be read from them in plain text - so if you are wanting to store sensitive data then session is really your only option. If you are not using SSL, cookie information can also be intercepted in transit, especially on an open wifi.
在积极的一面,Cookie可以受到一定程度的保护跨站脚本(XSS)/脚本注入等安全风险,通过设置仅HTTP标志(意味着现代(支持)浏览器)将阻止从JavaScript访问Cookie和值(这也会阻止您自己的,合法的JavaScript访问它们)。这对于身份验证Cookie尤其重要,后者用于存储包含已登录用户详细信息的令牌 - 如果您拥有该Cookie的副本,则用于所有用途和目的,您将该用户
On the positive side cookies can have a degree of protection applied from security risks like Cross-Site Scripting (XSS)/Script injection by setting an HTTP only flag which means modern (supporting) browsers will prevent access to the cookies and values from JavaScript (this will also prevent your own, legitimate, JavaScript from accessing them). This is especially important with authentication cookies, which are used to store a token containing details of the user who is logged on - if you have a copy of that cookie then for all intents and purposes you become that user as far as the web application is concerned, and have the same access to data and functionality the user has.
由于cookie用于认证目的和持久的用户数据,因此,对于网页有效的所有 Cookie,从浏览器向服务器发送每个请求到同一个网域 - 这包括原始网页请求,任何后续Ajax请求,所有图片,样式表,脚本和字体。因此,Cookie不应用于存储大量信息。浏览器还可以对可以存储在cookie中的信息的大小施加限制。通常,cookie用于存储用于认证,会话和广告跟踪的标识令牌。
As cookies are used for authentication purposes and persistence of user data, all cookies valid for a page are sent from the browser to the server for every request to the same domain - this includes the original page request, any subsequent Ajax requests, all images, stylesheets, scripts and fonts. For this reason cookies should not be used to store large amounts of information. Browser may also impose limits on the size of information that can be stored in cookies. Typically cookies are used to store identifying tokens for authentication, session and advertising tracking. The tokens are typically not human readable information in and of themselves, but encrypted identifiers linked to your application or database.
在功能方面,cookies只允许你存储字符串。 sessionStorage和localStorage允许您存储JavaScript基元,但不存储对象或数组(可以使用JSON串行化它们以使用API存储它们)。会话存储通常允许您存储服务器端语言/框架支持的任何原语或对象。
In terms of capabilities, cookies only allow you to store strings. sessionStorage and localStorage allow you to store JavaScript primitives but not Objects or Arrays (it is possible to JSON serialise them to store them using the APIs). Session storage will generally allow you to store any primitives or objects supported by your Server Side language/framework.
由于HTTP是一种无状态协议 - 网络应用程序无法在返回网站时从先前的访问中识别用户 - 会话数据通常依赖于Cookie令牌来识别用户的重复访问(尽管很少URL参数可能用于相同的目的)。数据通常具有滑动到期时间(每次用户访问时更新),并且根据您的服务器/框架数据将被存储在进程中(意味着如果Web服务器崩溃或重新启动,数据将丢失)状态服务器或数据库。这在使用网络场(给定网站的多个服务器)时也是必需的。
As HTTP is a stateless protocol - web applications have no way of identifying a user from previous visits on returning to the web site - session data usually relies on a cookie token to identify the user for repeat visits (although rarely URL parameters may be used for the same purpose). Data will usually have a sliding expiry time (renewed each time the user visits), and depending on your server/framework data will either be stored in-process (meaning data will be lost if the web server crashes or is restarted) or externally in a state server or database. This is also necessary when using a web-farm (more than one server for a given website).
由于会话数据完全由应用程序(服务器端)控制是任何敏感或安全的最好的地方。
As session data is completely controlled by your application (server side) it is the best place for anything sensitive or secure in nature.
服务器端数据的显而易见的缺点是可扩展性 - 在会话期间每个用户需要服务器资源,并且任何需要客户端的数据必须与每个请求一起发送。由于服务器无法知道用户是否导航到其他站点或关闭其浏览器,会话数据必须在给定时间后过期,以避免所有服务器资源被放弃的会话占用。因此,使用会话数据时,应注意数据已过期并丢失的可能性,尤其是在具有长表单的页面上。如果用户删除其Cookie或切换浏览器/设备,也会丢失。
The obvious disadvantage with server side data is scalability - server resources are required for each user for the duration of the session, and that any data needed client side must be sent with each request. As the server has no way of knowing if a user navigates to another site or closes their browser, session data must expire after a given time to avoid all server resources being taken up by abandoned sessions. When using session data you should therefore be aware of the possibility that data will have expired and been lost, especially on pages with long forms. It will also be lost if the user deletes their cookies or switches browsers/devices.
一些Web框架/开发人员使用隐藏的HTML输入来保存表单的一页以避免会话到期。
Some web frameworks/developers use hidden HTML inputs to persist data from one page of a form to another to avoid session expiration.
localStorage,sessionStorage和cookie都受同源规则的约束,这意味着浏览器应阻止访问除域外的数据
localStorage, sessionStorage and cookies are all subject to "same-origin" rules which means browsers should prevent access to the data except from the domain that set the information to start with.
有关客户端存储技术的进一步阅读,请参阅潜水进入Html 5 。
For further reading on client storage technologies see Dive Into Html 5.
这篇关于localStorage,sessionStorage,session和cookies有什么区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
