Solve the problem of J2EE-session failure after browser is closed

A few days ago, when I was working on a check-in system, I encountered a popular session problem. The project is Spring+SpringMVC+Mybatis framework, the javaweb-side system of maven management directory. For some issues of session, the following analysis is made. Here, we focus on the issue of session life cycle. As for other definitions, we will not explain:

First, let’s explain the life cycle of the session:

Storage: Session is stored on the server side. Generally, in order to prevent it from being stored in the server memory (for high-speed access), Sessinon is created when the user accesses the server for the first time. It is necessary to note that the Session will be created only when accessing JSP, Servlet and other programs. Only accessing static resources such as HTML and IMAGE will not create a Session. In a javaweb application, you can call request.getSession(boolean xxx) to generate a Session. Note that when the boolean parameter is true, a new session is forced to be generated here.

1.session expiration time:

The session expires after the last time the session was used reached the set failure time.

2. Another method session.invalidate() is executed, which actively makes the session invalid.

For invalidation time, you can define it by configuring properties in web.xml:

 <session-config> <session-timeout>Expiration time</session-timeout> </session-config>

The unit of failure time is minutes. If the session is valid for one day, it can be set to 60*24. When set to 0 or negative, the session is permanently valid. According to the definition of the failure time, it is easy to understand this situation.

Why does the session fail after the browser is closed?

• The session invalidation time is not set, and the default is that the browser is invalid after closing;
• Most session mechanisms use cookies in the process to save sessionid, that is, JSESSIONID. After the browser is closed, the process disappears and the cookies in the process disappear, and the sessionid will disappear.

Based on what is known, a simple example was written:

 @Controllerpublic class SessionTest { @RequestMapping("/sessionTest") public String sessionTest(HttpServletRequest request, HttpServletResponse response){ System.out.println("success!"); HttpSession session = request.getSession(); session.setMaxInactiveInterval(259200); request.setAttribute("creationtime",session.getCreationTime());//Creation time request.setAttribute("id",session.getId());//id request.setAttribute("max",session.getMaxInactiveInterval(-1));//Maximum failure time//Here, the priority of MaxInactiveInterval is higher than session-cofig in web.xml, and the unit is second request.setAttribute("lasttime",session.getLastAccessedTime());//Last usage time request.setAttribute("sessionTest",session);// System.out.println(session.getCreationTime());// System.out.println(session.getMaxInactiveInterval());// System.out.println(session.getLastAccessedTime()); return "page/showSession"; } <table cellpacing="0" cellpadding="0"> <tr><td>Creation time:</td><td>${creationtime}</td></tr> <tr><td>id:</td><td>${id}</td></tr> <tr><td>Maximum survival time:</td><td>${max}</td></tr> <tr><td>Last time used:</td><td>${lasttime}</td></tr> <tr><td>session:</td><td>${sessionTest}</td></tr> </table>

Analysis:

• The above code simulates a login situation. In the controller, an HttpSession object is created, which basically sets all parameters that can be set.
• However, after the browser is closed and you still need to log in again when you enter the main page again, it means that the browser has not received this session object again. We can search the local tomcat server in the settings of the chrome browser -> display advanced settings -> content settings of the privacy settings -> all cookies and website data to view the session stored this time, that is, a cookie named JSESSIONID. The situation is as follows
  

It can be seen that the invalidation time of the session is actually when the browser is closed, so only if the browser does not close and access again can you continue to use the login state. What does the invalidation time we set above represent?

A session was created between the browser and the server. Since the client did not interact with the server for a long time (hibernation time), the server destroyed this session. The previous session when the client interacted with the server again did not exist. My understanding is that the invalidation time only takes effect during a session. If the browser is closed and the session ends, the invalidation time is set to permanently valid, which is the moment when the browser is closed and the session is closed. To solve this problem, you can mix cookies with sessions. There is such a stupid way:

Actively add cookies to set the save directory and survival time

 public static void addCookie(String name, String value, int age, HttpServletResponse response) throws UnsupportedEncodingException { Cookie c = new Cookie(name, URLEncoder.encode(value, "utf-8")); c.setMaxAge(age); c.setPath(path); response.addCookie(c); }

When accessing again, use Cookie[] cookies = request.getCookies(); to traverse the cookies, obtain the desired cookie according to the name of the cookie, or it can be said to be a session. Finally, you get the desired result, and the session (the cookie named JSESSIONID) escapes from the browser's imprisonment.

Summarize

The above is the solution to the problem of J2EE-session failure after the browser is closed. I hope it will be helpful to everyone. If you have any questions, please leave me a message and the editor will reply to everyone in time. Thank you very much for your support to Wulin.com website!