Cookie和会话如何工作？ [英] How do Cookies and Sessions work?

问题描述

我想要专业地了解Cookie和会话，
我知道当浏览器进入服务器时，服务器请求浏览器在客户端浏览器cookies文件夹中粘贴他自己一个带有phpsessid的cookie ，
现在当我们有phpsessid时，客户端进入服务器，浏览器发送到服务器的phpsessid，服务器看看他的tmp文件夹，如果我们有一个匹配，所以它加载每个数据他已经为这个客户，但我有点困惑与所有的过程。

I am trying to understand Cookies and sessions professionally, I know that when browser enter a server the server "ask" the browser to "Paste" him self a cookie with "phpsessid" at the client browser cookies folder, Now when we have the "phpsessid" when client enter the server the browser send to the server the "phpsessid" and the server take a look at his tmp folder and if we have a match so it loads back every data he have for this client, but i am kinda confused with all the process.

我会感激，如果有人可以请帮助我理解创建会话的过程和饼干（什么是happend幕后）。

I will be thankful if some one can please help me understand thoes processes of creating a sessions and cookies (what is happend "Behind the scenes"). Thank you all.

推荐答案

让我们来看一下：

strong> Cookie 和 会议 都是保持应用程序在浏览器发出的不同请求之间的状态的方法。感谢他们，例如，您不需要在每次请求页面时登录 StackOverflow

Cookies and sessions are both ways to preserve the application's state between different requests the browser makes. It's thanks to them that, for instance, you don't need to log in every time you request a page on StackOverflow.

Cookie是小数位的数据（最多4KB长） a key = value pairs：

Cookies are small bits of data, (maximum of 4KB long), which hold data in a key=value pairs:

name=value; name2=value2

这些是由 JavaScript ，或通过服务器使用 HTTP标头

Cookie有过期日期设置，例如使用HTTP标头：

Cookies have an expiry datetime set, example using HTTP headers:

Set-Cookie: name2=value2; Expires=Wed, 19 Jun 2021 10:18:14 GMT

这会导致浏览器设置名为的名为 name2 的值为 value2 ，将在大约9年后到期。

Which would cause the browser to set a cookie named name2 with a value of value2, which would expire in about 9 years.

Cookie被认为是高度不安全，因为用户可以轻松地操作其内容。这就是为什么您应该始终验证Cookie数据。不要假定您从Cookie获得的内容一定是您期望的。

Cookies are considered highly insecure because the user can easily manipulate their content. That's why you should always validate cookie data. Don't assume what you get from a cookie is necessarily what you expect.

Cookie通常用于保留登录状态，其中发送用户名和特殊散列

Cookies are usually used to preserve login state, where a username and a special hash are sent from the browser, and the server checks them against the database to approve access.

工作阶段略有不同。每个用户都会获得会话ID ，并通过 cookie 或 GET变量发送回服务器进行验证。

Sessions are slightly different. Each user gets a session ID, which is sent back to the server for validation either by cookie or by GET variable.

会话通常是短暂的，这使得它们在保存应用程序之间的临时状态方面是理想的。会话也会在用户关闭浏览器后过期。

Sessions are usually short lived, which makes them ideal in saving temporary state between applications. Sessions also expire once the user closed her browser.

会话比Cookie更安全，因为变量本身保存在服务器上。

Sessions are considered more secure than cookies, because the variables themselves are kept on the server. Here's how it works:

1. 伺服器开启工作阶段（透过HTTP标头设定Cookie）




3. 客户端发送所有Cookie以及第1步的会话ID。


4. 服务器从cookie中读取会话ID。


5. 服务器与数据库中的列表匹配会话ID。


6. 服务器找到匹配项，读取现在在 $ _ SESSION 超全局变量上可用的变量。

1. Server opens a session (sets a cookie via HTTP header)
2. Server sets a session variable.
3. Client changes page
4. Client sends all cookies, along with the session ID from step 1.
5. Server reads session ID from cookie.
6. Server matches session ID from a list in a database (or whatever).
7. Server finds a match, reads variables which are now available on $_SESSION superglobal.

如果PHP没有找到匹配项，它将启动一个新的会话，并重复1-7中的步骤。

If PHP does not find a match, it will start a new session, and repeat the steps from 1-7.

您可以在会话中存储敏感信息，因为它保存在服务器上，但要注意，如果用户（比方说，通过不安全的WiFi登录），会话ID仍然可能被盗。 （攻击者可以嗅探cookies，并将其设置为自己的，他不会看到变量本身，但服务器会将攻击者识别为用户）。

You can store sensitive information on a session, because it is kept on the server, but be aware that the session ID can still be stolen if the user, let's say, logged in over an insecure WiFi. (An attacker can sniff the cookies, and set it as its own, he won't see the variables themselves, but the server will identify the attacker as the user).

这是它的要点。您可以在这两个主题的PHP手册上了解更多。

That's the gist of it. You can learn more on the PHP manual on both subjects.

这篇关于Cookie和会话如何工作？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！