什么是会话? 它们是如何工作的?
[英]What are sessions? How do they work?
问题描述
I am just beginning to start learning web application development, using python. I am coming across the terms 'cookies' and 'sessions'.
我刚刚开始学习 web 应用程序开发,使用 python。我遇到了“cookie”和“会话”这两个术语。 I understand cookies in that they store some info in a key value pair on the browser.我理解 cookies,因为它们将一些信息存储在浏览器的键值对中。 But I have a little confusion regarding sessions, in a session too we store data in a cookie on the user's browser.但我对会话有点困惑,在 session 中,我们也将数据存储在用户浏览器的 cookie 中。
For example - I login using username='rasmus' and password='default' .例如 - 我使用username='rasmus'和password='default' 。 In such a case the data will be posted to the server which is supposed to check and log me in if authenticated.在这种情况下,数据将被发布到服务器,如果通过身份验证,该服务器应该检查并登录我。 However during the entire process the server also generates a session ID which will be stored in a cookie on my browser.然而,在整个过程中,服务器还会生成一个 session ID,该 ID 将存储在我浏览器的 cookie 中。 Now the server also stores this session ID in its file system or datastore.现在,服务器还将这个 session ID 存储在其文件系统或数据存储中。
But based on just the session ID, how would it be able to know my username during my subsequent traversal through the site?但是仅基于 session ID,它怎么能在我随后遍历该站点时知道我的用户名呢? Does it store the data on the server as a dict where the key would be a session ID and details like username , email etc. be the values?它是否将数据作为字典存储在服务器上,其中键是 session ID,而username 、 email等详细信息是值?
I am getting quite confused here.我在这里很困惑。 Need help.需要帮忙。
6 个解决方案
解决方案1
460 已采纳 2010-09-27 13:44:18
Because HTTP is stateless, in order to associate a request to any other request, you need a way to store user data between HTTP requests.由于 HTTP 是无状态的,为了将请求与任何其他请求相关联,您需要一种在 HTTP 请求之间存储用户数据的方法。
Cookies or URL parameters ( for ex. like http://example.com/myPage?asd=lol&boo=no ) are both suitable ways to transport data between 2 or more request. Cookie 或 URL 参数(例如http://example.com/myPage?asd=lol&boo=no )都是在 2 个或更多请求之间传输数据的合适方式。 However they are not good in case you don't want that data to be readable/editable on client side.但是,如果您不希望该数据在客户端可读/可编辑,则它们并不好。
The solution is to store that data server side, give it an "id", and let the client only know (and pass back at every http request) that id.解决方案是存储该数据服务器端,给它一个“id”,并让客户端只知道(并在每个 http 请求时传回)该 id。 There you go, sessions implemented.好了,会话已实施。 Or you can use the client as a convenient remote storage, but you would encrypt the data and keep the secret server-side.或者您可以将客户端用作方便的远程存储,但您将对数据进行加密并在服务器端保密。
Of course there are other aspects to consider, like you don't want people to hijack other's sessions, you want sessions to not last forever but to expire, and so on.当然还有其他方面需要考虑,比如您不希望人们劫持其他人的会话,您希望会话不会永远持续下去,而是会过期,等等。
In your specific example, the user id (could be username or another unique ID in your user database) is stored in the session data, server-side, after successful identification.在您的具体示例中,成功识别后,用户 ID(可以是用户数据库中的用户名或其他唯一 ID)存储在服务器端的会话数据中。 Then for every HTTP request you get from the client, the session id (given by the client) will point you to the correct session data (stored by the server) that contains the authenticated user id - that way your code will know what user it is talking to.然后,对于您从客户端获得的每个 HTTP 请求,会话 ID(由客户端提供)将指向包含经过身份验证的用户 ID 的正确会话数据(由服务器存储)——这样您的代码就会知道它是哪个用户正在与。
解决方案2
161 2016-08-10 06:07:51
Explanation via Pictures:图片说明:
Simple Explanation by analogy类比简单解释
Imagine you are in a bank, trying to get some money out of your account.想象一下,你在一家银行,试图从你的账户中取出一些钱。 But it's dark;但天很黑; the bank is pitch black: there's no light and you can't see your hand in front of your face.银行是漆黑的:没有光,你看不见你的手在你面前。 You are surrounded by another 20 people.你被另外20个人包围了。 They all look the same.他们看起来都一样。 And everybody has the same voice.而且每个人的声音都一样。 And everyone is a potential bad guy.每个人都是潜在的坏人。 In other words, HTTP is stateless.换句话说,HTTP 是无状态的。
This bank is a funny type of bank - for the sake of argument here's how things work:这家银行是一种有趣的银行 - 为了争论,这里是如何运作的:
- you wait in line (or on-line) and you talk to the teller: you make a request to withdraw money, and then您在排队(或在线)等待并与柜员交谈:您提出取款请求,然后
- you have to wait briefly on the sofa, and 20 minutes later你得在沙发上等一会儿,20分钟后
- you have to go and actually collect your money from the teller.你必须去实际从出纳员那里取钱。
But how will the teller tell you apart from everyone else?但是,出纳员将如何将您与其他人区分开来?
The teller can't see or readily recognise you, remember, because the lights are all out.出纳员看不到或认不出你,记住,因为灯都灭了。 What if your teller gives your $10,000 withdrawal to someone else - the wrong person?!如果您的出纳员将您的 10,000 美元提款给了别人 - 错误的人怎么办?! It's absolutely vital that the teller can recognise you as the one who made the withdrawal, so that you can get the money (or resource) that you asked for.出纳员能够认出您是提款人,这绝对是至关重要的,这样您才能获得您要的钱(或资源)。
Solution:解决方案:
When you first appear to the teller, he or she tells you something in secret:当你第一次出现在出纳员面前时,他或她会秘密告诉你一些事情:
"When ever you are talking to me," says the teller, "you should first identify yourself as GNASHEU329 - that way I know it's you".
Nobody else knows the secret passcode.没有其他人知道秘密密码。
Example of How I Withdrew Cash:我如何提取现金的示例:
So I decide to go to and chill out for 20 minutes and then later I go to the teller and say "I'd like to collect my withdrawal"所以我决定去放松一下 20 分钟,然后我去找柜员说“我想取款”
The teller asks me: "who are you??!"柜员问我:“你是谁??!”
"It's me, Mr. George Banks!" “是我,乔治·班克斯先生!”
"Prove it!" “证明给我看!”
And then I tell them my passcode: GNASHEU329然后我告诉他们我的密码:GNASHEU329
"Certainly Mr. Banks!" “当然是班克斯先生!”
That basically is how a session works.这基本上就是会话的工作方式。 It allows one to be uniquely identified in a sea of millions of people.它允许在数百万人的海洋中唯一地识别一个人。 You need to identify yourself every time you deal with the teller.每次与出纳员打交道时,您都需要表明自己的身份。
If you got any questions or are unclear - please post comment and I will try to clear it up for you.如果您有任何问题或不清楚 - 请发表评论,我会尽力为您解决。 The following is not strictly speaking, completely accurate in its terminology, but I hope it's helpful to you in understanding concepts.以下内容并非严格来说,其术语完全准确,但希望对您理解概念有所帮助。
解决方案3
47 2010-09-27 14:18:07
"Session" is the term used to refer to a user's time browsing a web site. “会话”是用于指代用户浏览网站的时间的术语。 It's meant to represent the time between their first arrival at a page in the site until the time they stop using the site.它的意思是表示从他们第一次到达站点中的页面到他们停止使用站点之间的时间。 In practice, it's impossible to know when the user is done with the site.实际上,不可能知道用户何时完成了站点。 In most servers there's a timeout that automatically ends a session unless another page is requested by the same user.在大多数服务器中,除非同一用户请求另一个页面,否则会自动结束会话。
The first time a user connects some kind of session ID is created (how it's done depends on the web server software and the type of authentication/login you're using on the site).用户第一次连接时会创建某种会话 ID(如何完成取决于 Web 服务器软件和您在站点上使用的身份验证/登录类型)。 Like cookies, this usually doesn't get sent in the URL anymore because it's a security problem.像 cookie 一样,这通常不会再通过 URL 发送,因为这是一个安全问题。 Instead it's stored along with a bunch of other stuff that collectively is also referred to as the session.相反,它与一堆其他东西一起存储,这些东西统称为会话。 Session variables are like cookies - they're name-value pairs sent along with a request for a page, and returned with the page from the server - but their names are defined in a web standard.会话变量就像 cookie——它们是与页面请求一起发送的名称-值对,并与页面一起从服务器返回——但它们的名称是在 Web 标准中定义的。
Some session variables are passed as HTTP headers .一些会话变量作为HTTP 标头传递。 They're passed back and forth behind the scenes of every page browse so they don't show up in the browser and tell everybody something that may be private.它们在每个页面浏览的幕后来回传递,因此它们不会出现在浏览器中并告诉每个人一些可能是隐私的信息。 Among them are the USER_AGENT, or type of browser requesting the page, the REFERRER or the page that linked to the page being requested, etc. Some web server software adds their own headers or transfer additional session data specific to the server software.其中包括 USER_AGENT,或请求页面的浏览器类型,REFERRER 或链接到被请求页面的页面等。一些 Web 服务器软件添加自己的标题或传输特定于服务器软件的附加会话数据。 But the standard ones are pretty well documented.但是标准的有很好的记录。
Hope that helps.希望有帮助。
解决方案4
20 2010-09-27 13:35:21
HTTP is stateless connection protocol, that is, the server cannot differentiate between different connections of different users. HTTP 是无状态连接协议,即服务器无法区分不同用户的不同连接。
Hence comes cookie, once a client connects first time to a server, the server generates a new session id, which later will be sent to the client as cookie value.因此出现了 cookie,一旦客户端第一次连接到服务器,服务器就会生成一个新的会话 ID,稍后将作为 cookie 值发送给客户端。 And from now on, this session id will identify that client connection, because within each HTTP request it will see the appropriate session id inside cookies.从现在开始,这个会话 ID 将识别那个客户端连接,因为在每个 HTTP 请求中,它会在 cookie 中看到适当的会话 ID。
Now for each session id, the server keeps some data structure, which enables him to store data specific to user, this data structure you can abstractly call session.现在对于每个 session id,服务器都会保存一些数据结构,这使得他可以存储特定于用户的数据,这个数据结构你可以抽象地调用 session。
解决方案5
10 2017-03-30 11:36:52
Think of HTTP as a person(A) who has SHORT TERM MEMORY LOSS and forgets every person as soon as that person goes out of sight.把 HTTP 想象成一个人(A),他有短期记忆丢失,一旦那个人离开视线就会忘记每个人。
Now, to remember different persons, A takes a photo of that person and keeps it.现在,为了记住不同的人,A 给那个人拍了一张照片并保存下来。 Each Person's pic has an ID number.每个人的照片都有一个 ID 号。 When that person comes again in sight, that person tells it's ID number to A and A finds their picture by ID number.当那个人再次出现时,那个人告诉 A 自己的身份证号码,A 通过身份证号码找到他们的照片。 And voila !!, A knows who is that person.瞧!!,A 知道那个人是谁。
Same is with HTTP. HTTP 也是如此。 It is suffering from SHORT TERM MEMORY LOSS.它正在遭受短期记忆丧失。 It uses Sessions to record everything you did while using a website, and then, when you come again, it identifies you with the help of Cookies(Cookie is like a token).它使用 Sessions 记录您在使用网站时所做的一切,然后当您再次访问时,它会在 Cookies 的帮助下识别您的身份(Cookie 就像一个令牌)。 Picture is the Session here, and ID is the Cookie here.这里的图片是Session,ID是这里的Cookie。
解决方案6
10 2022-04-06 12:30:55
Session is broad technical term which can be used to refer to a state which is stored either on server side using in-memory cache or on the client side using cookie , local storage or session storage . Session是一个广泛的技术术语,可以用来指代 state,它使用内存缓存存储在服务器端,或者使用cookie 、 local storage或session storage在客户端。
There is nothing specific on the browser or server that is called session. Session is a kind of data which represents a user session on web. And that data can be stored on server or client. session在浏览器或服务器上没有具体的名称。Session是一种数据,代表web上的一个用户session。该数据可以存储在服务器或客户端。
And how it stored and shared is another topic.而它如何存储和共享是另一个话题。 But the brief is when a user is logged in, the server creates a session data and generates a session ID.但简而言之,当用户登录时,服务器会创建一个 session 数据并生成一个 session ID。 The session Id is sent back to user in custom header or set-cookie header which takes care of automatically storing it on user's browser. session Id 在自定义 header 或set-cookie header 中发送回用户,负责自动将其存储在用户的浏览器中。 And then when next time the user revisits, the session ID is sent along the request and server check if there is existing session by that ID and processes accordingly.然后当用户下次再次访问时,session ID 随请求发送,服务器检查该 ID 是否存在 session 并进行相应处理。
You can store whatever you want in an session but the the main purpose is to remember the the user (browser) who have previously visit your site whether it's about login, shopping cart, or other activities.您可以在 session 中存储任何您想要的内容,但主要目的是记住之前访问过您网站的用户(浏览器),无论是关于登录、购物车还是其他活动。
And that's why it also important to protect the session ID from being intercepted by a hacker who will use it to identify himself as an another user.这就是为什么保护 session ID 不被黑客拦截也很重要,黑客将使用它来将自己标识为另一个用户。
By reading about Cookie, you will get the idea of session: ( https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies )通过阅读 Cookie,您将了解 session 的概念:( https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies )
Excerpt from MDN:摘自MDN:
Cookies are mainly used for three purposes:
Session management
Logins, shopping carts, game scores, or anything else the server should remember
Personalization
User preferences, themes, and other settings
Tracking
Recording and analyzing user behavior
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.