Cookie, Session and Token

Posted on In Views: Views: Word count in article: 359 Reading time ≈ 1 mins.

What is the difference among cookie, session and token?

all lot them have relationship with Maintain status information.

When we log in to the page and we want to maintain the user’s login status,

we need to use C S T.

Why do we need session id?

Because http is stateless.

Every time servers need to know who sent the request.

For example:

Users need to visit a website.

User –> client

Website—> server

Visit: client send request to server

Many functions of the website can only be provided after the user logs in.

Then users need to attach their own username and password every time they send a request.

The risk of doing so is too high.

After the user provides username and password for the first time, the website gives a temporary item session id, which is unique.

After the user logs in for the first time, the subsequent session id and server interact.

server stores the session information in In the server

client stores session id in cookie

image-20240328151245014

Server stores session information into the service

The browser stores the session id in a cookie

The user can delete the session id in the cookie by clicking log out.
The server will also delete the corresponding session information.

Of course, as a temporary item, session id also has an expiration time.

After a certain period of time, the session id expires, and the user needs to log in again to get the new session id.

Summary

session is generated by server.

the session id is unique and send to the client.

The session id is placed on the cookie for transmission.

Problem: cookie can be modifield by the client.

token

For third-party authorization

The token is equivalent to a temporary account.

Generally speaking, only some information can be viewed.

some famous token protocol

OAuth

OpenID

JWT

The difference beteween token and cookie

  1. Token is between multiple parties.

    Cookies are between the two parties.

  2. token contain session information

    The cookie contains the session id and does not contain information.

  3. Token via authorization HTTP header

    Cookie via cookie HTTP header