##6.1 Session and cookies Session and cookies are two common concepts in web browse, also they are very easy to misunderstand, but they are extremely important in authorization and statistic pages. Let's comprehend both of them.
Suppose you want to crawl a limited access page, like user home page in twitter. Of course you can open your browser and type your user name and password to log in and access those information, but so-called "crawl" means we use program to simulate this process without human intervene. Therefore, we have to find out what is really going on behind our actions when we use browsers to log in.
When we get log in page, and type user name and password, and press "log in" button, browser send POST request to remote server. Browser redirects to home page after server returns right respond. The question is how does server know that we have right to open limited access page? Because HTTP is stateless, server has no way to know we passed the verification in last step. The easiest solution is append user name and password in the URL, it works but gives too much pressure to server (verify every request in database), and has terrible user experience. So there is only one way to achieve this goal, which is save identify information either in server or client side, this is why we have cookie and session.
cookie, in short it is history information (including log in information) that is saved in client computer, and browser sends cookies when next time user visits same web site, automatically finishes log in step for user.
Figure 6.1 cookie principle.
session, in short it is history information that is saved in server, server uses session id to identify different session, and the session id is produced by server, it should keep random and unique, you can use cookie to get client identity, or by URL as arguments.
Figure 6.2 session principle.
##Cookie Cookie is maintained by browsers and along with requests between web servers and browsers. Web application can access cookies information when users visit site. In browser setting there is one about cookies privacy, and you should see something similar as follows when you open it:
Figure 6.3 cookie in browsers.
Cookie has expired time, and there are two kinds of cookies based on life period: session cookie and persistent cookie.
If you don't set expired time, browser will not save it into local file after you close the browser, it's called session cookies; this kind of cookies are usually saved in memory instead of local file system.
If you set expired time (setMaxAge(606024)), browser will save this cookies in local file system, and it will not be deleted until reached expired time. Cookies that is saved in local file system can be shared in different processes of browsers, for example, two IE windows; different kinds of browsers use different process for handling cookie that is saved in memory.
##Set cookies in Go
Go uses function SetCookie in package net/http to set cookie:
http.SetCookie(w ResponseWriter, cookie *Cookie)w is the response of the request, cookie is a struct, let's see how it looks like:
type Cookie struct {
Name string
Value string
Path string
Domain string
Expires time.Time
RawExpires string
// MaxAge=0 means no 'Max-Age' attribute specified.
// MaxAge<0 means delete cookie now, equivalently 'Max-Age: 0'
// MaxAge>0 means Max-Age attribute present and given in seconds
MaxAge int
Secure bool
HttpOnly bool
Raw string
Unparsed []string // Raw text of unparsed attribute-value pairs
}Here is an example of setting cookie:
expiration := *time.LocalTime()
expiration.Year += 1
cookie := http.Cookie{Name: "username", Value: "astaxie", Expires: expiration}
http.SetCookie(w, &cookie)
##Get cookie in Go The above example shows how to set cookies, let's see how to get cookie:
cookie, _ := r.Cookie("username")
fmt.Fprint(w, cookie)Here is another way to get cookie:
for _, cookie := range r.Cookies() {
fmt.Fprint(w, cookie.Name)
}As you can see, it's very convenient to get cookie in request.
##Session Session means a series of actions or messages, for example, your actions from pick up your telephone to hang up can be called a session. However, session implied connection-oriented or keep connection when it's related to network protocol.
Session has more meaning when it hits web development, which means a solution that keep connection status between server and client, sometimes it also means the data storage struct of this solution.
Session is the server side mechanism, server uses something like (or actually) use hash table to save information.
When an application need to assign a new session for the client, server should check if there is any session for same client with unique session id. If the session id has already existed, server just return the same session to client, create a new session if there is no one for that client (it usually happens when server has deleted corresponding session id but user append ole session manually).
The session itself is not complex, but its implementation and deployment are very complicated, so you cannot use "one way to rule them all".
##Summary In conclusion, the goal of session and cookie is the same, they are both for overcoming defect of HTTP stateless, but they use different ways. Session uses cookie to save session id in client side, and save other information in server side, and cookie saves all information in client side. So you may notice that cookie has some security problems, for example, user name and password can be cracked and collected by other sites.
There are two examples:
- appA setting unexpected cookie for appB.
- XSS, appA uses JavaScript
document.cookieto access cookies of appB.
Through introduction of this section, you should know basic concepts of cookie and session, understand the differences between them, so you will not kill yourself when bugs come out. We will get more detail about session in following sections.
##Links
- Directory
- Previous section: Data storage and session
- Next section: How to use session in Go