Session Session Introduction
A session refers to the interaction process between a user using the same browser process and a web application over a period of time.
Sessions are usually used to track the user's status and cache the user's information in this browser process.
When the user closes the browser, the previous session cannot be obtained again (the case where the maxAge of the cookie is -1). Open a new browser again and a new session will begin.
class javax.servlet.http.HttpSession. Each HttpSession represents a session of the user.
The expiration time of each session is 30 minutes by default.
When the browser first accesses the server, no matter which page it visits first, the server will assign a unique session identifier to the user, that is, jsessionid and then return it to the user in the form of a cookie.
The following figure is a response header (the following figure is based on Servlet 3.0, and there is no HttpOnly attribute in Servlet 2.5)
The server creates a session for each user, namely the HttpSession object, and saves it on the server side.
So, when the user accesses the server again, how does the server know or the current user?
When the browser accesses the server again, it will carry a cookie containing jsessionid to access the server. The server returns the HttpSession object of this user based on this id, and maintains the session.
(So, is it possible to implement the same session on different browsers?
Here is a typical URL, which has a certain spoofing effect and can implement the same session on different browsers:
http://localhost:8080/day07_2/CNCookieServlet;jsessionid=F8692D61CD46D094DBB7A8FC7387649C )
The relationship between the browser and the server is as follows:
HttpSession:
In a Servlet, the session object is obtained through the HttpServletRequest.getSession method.
The following methods of the HttpSession interface are used to share data to session-wide:
getAttribute("name")setAttribute("name",object);getAttributeNames()removeAttribute("name")Invalidate(); - This method strongly deletes the server cached session.
Example:
SetAttribute in the httpSession of a Servlet.
Go to another servlet via hyperconnect, or otherwise and display the information via getAttribute.
Call getAttribute in any servlet to display information.
Close this browser and revisit the servlet that gets information, and you will find that there is no information anymore.
as follows:
String name=request.getParameter("name"); request.setAttribute("name", "request---"+name); request.getSession().setAttribute("name", "session---"+name); getServletContext().setAttribute("name", "application---"+name); The unique identifier of the Session:
Each session has a unique identifier, namely an ID.
When the browser obtains a new session, the user can print out the ID value through session.geId().
Without closing the browser, jumping on multiple pages, using the same session.
like:
request.getSession().getId()
What is safe exit:
When a user exits, he should clear his information from the Session - that is, safely exit.
Secure exit is to clear the information you leave on the server to prevent it from being hacked.
Session.invalidate();
1. request.getSession().invalidate();
This allows the corresponding objects in the session pool to be deleted.
2. Session.removeAttribute(…)
like:
request.getSession().removeAttribute("realCode");
Used to delete attributes in session objects
Track the session by rewriting the URL:
As mentioned earlier, the Servlet container first saves a SessionID on the client. Later, when the browser issues an HTTP request, it will contain this SessionID. The Servlet container reads the SessionID in the HTTP request and takes out the HttpSession object from the container based on this SessionID to facilitate tracking which session the HTTP request belongs to. This process is called session tracking.
If the browser supports cookies, the Servlet container saves the SessionID as a cookie on the browser's client. But if the user disables cookies for security reasons, how can the Servlet container track the session?
First let's disable cookies in IE (note: it does not work for some GHOST systems).
IE>Tools>Internet Options>Privacy>Advanced, and then disable cookies:
We can add such a hyperlink to the homepage: (I put the code related to SaveServlet.java GetServlet.java LogoutServlet.java LogoutServlet.java in the following code)
<h2>Demonstrate the rewrite url technology----Cracking the problem that our session is invalid after the user disables cookies</h2> <form action="<%=response.encodeURL("saveServlet") %>" method="post"> name:<input type="text" name="name"/><br/> <input type="submit"/> </form> <a href="<%=response.encodeURL("getServlet") %>">Rewrite url-read data in several containers</a><br/> <a href="<%=response.encodeURL("logoutServlet") %>">Rewrite url-Safe Exit</a>This sentence <form action="<%=response.encodeURL("/aa")%>"> can realize this function
After disabling cookies here, the browser can still receive cookies sent by the server, but the browser can only accept them and cannot send them to the server. If the cookies cannot be sent, it cannot go to the session pool to get the corresponding object.
After entering the desired value in the form, go to the hyperlink in the getServlet below to see if the input value can still be displayed. The answer is yes. The access path here is similar
http://localhost:8080/day07_2/CNCookieServlet;jsessionid=F8692D61CD46D094DBB7A8FC7387649C, the jsessionid=F8692D61CD46D094DBB7A8FC7387649C behind it is its id. In this way, you can access it by entering this URL in another browser.
Here I want to add: (The following situation is that when I write the HttpSession object in the session pool the JSESSIONID value and value of the corresponding session into the cookie. This cookie will overwrite the one created by the system, which is equivalent to I created it myself. I set the existence time to ten minutes. If it is not covered, the cookie will die when the browser is closed, and the following phenomenon will not occur)
In the two cases whether cookies are disabled, the ids of newly created objects in the session pool are different. That is, if you enter a value of a name in the form when cookies are disabled, the query result is as follows:
And jsessionid is 2BB51EBDEAAF14D19656C71E1B6F9FF6
Then immediately change to the cookie mode without disabling it, enter another name such as Tom, and the query result will naturally be two Tom, and jsessionid is
203F9E4DB5D874476B81DAF350661B6A, which is different from disabling, which makes the following results appear.
Then at this time we close the browser, enter the browser again, and view the access results without disabling the cookie mode, as follows:
I'll post the main code below:
SaveServlet.java
package cn.hncu.servlets.session; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class SaveServlet extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doPost(request, response); } public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html;charset=utf-8"); PrintWriter out = response.getWriter(); request.setCharacterEncoding("utf-8"); String name=request.getParameter("name"); request.setAttribute("name", "request---"+name); request.getSession().setAttribute("name", "session---"+name); getServletContext().setAttribute("name", "application---"+name); //An example of combining cookie technology and session technology for application --※Function: After closing the browser, if the user can log in to this site within 10 minutes, he can also access the information in the session //Write a cookie with a key "JSESSIONID" and value as sessionid to the client. Cookie c=new Cookie("JSESSIONID", request.getSession().getId()); c.setMaxAge(60*10);//The above phenomenon is caused by this sentence. Without this sentence, there will be no such phenomenon as mentioned above c.setPath(request.getContextPath()); response.addCookie(c); out.println("Save successfully..."); out.flush(); out.close(); } }GetServlet.java
package cn.hncu.servlets.session; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class GetServlet extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html;charset=utf-8"); PrintWriter out = response.getWriter(); out.println("<!DOCTYPE HTML PUBLIC /"-//W3C//DTD HTML 4.01 Transitional//EN/">"); out.println("<HTML>"); out.println(" <HEAD><TITLE>A Servlet</TITLE></HEAD>"); out.println(" <BODY>"); String reqName=(String) request.getAttribute("name"); String seName=(String) request.getSession().getAttribute("name"); String appName=(String) getServletContext().getAttribute("name"); out.println(reqName+"<br/>"); out.println(seName+"<br/>"); out.println(appName+"<br/>"); out.println(" </BODY>"); out.println("</HTML>"); out.flush(); out.close(); } }LogoutServlet.java
package cn.hncu.servlets.session; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class LogoutServlet extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html;charset=utf-8"); PrintWriter out = response.getWriter(); //Safe Exit---Just as long as the session object is invalid request.getSession().invalidate(); out.println("Safe Exit..."); } }The above is the JavaWeb Session session management introduced to you by the editor. I hope it will be helpful to you. If you have any questions, please leave me a message. The editor will reply to you in time!