Things about Cookie and Session in Java

Cookie and Session are both used to maintain the user's access status. On the one hand, they facilitate business implementation, and on the other hand, they simplify the server-side program design and improve access performance. Cookie is a client-side (that is, browser-side) technology. After setting a cookie, every time you access the server, the cookie will be included in the request; Session is a server-side technology, and the user's access information is stored on the server.

Use Cookie to transmit information. As the number of Cookies increases and the number of visits increases, the bandwidth it takes up will become larger and larger. The biggest weakness of using Session to save information is that it is not easy to save information on multiple devices. shared between servers.

1 Cookie

In layman’s terms, when a user uses HTTP to access the server, the server will return some key-value pair information to the client browser and give these Some restrictions are added to the data. If the restrictions are met, the next time the user visits the server, the cookie key-value pair information set previously will be brought. When the user enters a URL, the browser looks for a cookie associated with the URL on their local hard drive. If the cookie exists, the browser sends the cookie to your site with the page request.

Cookies are associated with the website, not with a specific page. Therefore, no matter which page in the site a user requests, the browser and server will exchange cookie information. When a user visits different sites, each site may send a cookie to the user's browser; the browser stores all cookies separately.

Cookie Attribute Item

Currently there are two versions of Cookie, Version 0 and Version 1. They have two types of setting response header identifiers, namely "Set-Cookie" and "Set-Cookie2".

Cookie 0 attribute value

Cookie 1 attribute value

Examples of using Cookies in Java

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
response.setContentType("text/html;charset=utf-8");
PrintWriter out = response.getWriter();
Cookie[] cookies = request.getCookies();
String name = getCoodie(cookies, "name");
if (name == null) {
response.addCookie(new Cookie("name", "luoxn28"));
}
else {
System.out.println(name);
}
out.println("hello world");
}
public static String getCoodie(Cookie[] cookies, String key) {
if (cookies != null) {
for (Cookie cookie : cookies) {
if (cookie.getName().equals(key)) {
return cookie.getValue();
}
}
}
return null;
}

Some precautions for using Cookies (taking Java as an example)

•The name and value of the created Cookie cannot It is a non-ASSIC character. If it is Chinese, it can be encoded by RRLEncoder, otherwise a java.lang.IllegalArgumentException exception will be thrown.

•When multiple name and value values ​​appear, they are actually in the same "Cookie" header.

•Punctuation marks other than ";" can be saved in the value of Cookies. But Chinese characters cannot be saved. Garbled characters will appear when saving Chinese characters.

Some limitations of Cookie

Cookie is a field in the HTTP header. HTTP itself has no restrictions on this field, but Cookie is ultimately stored in the browser. Different Browsers have some limitations on the storage of cookies, as shown in the following table:

If you try to store more cookies, the oldest The cookie will be discarded.

2 Session

Session solves the problem that when the number of cookies increases, the amount of data transmission between the client and the server will increase. When the same client interacts with the server, there is no need to All cookie values ​​are returned each time, but only one ID value is returned. This ID is generated when the client accesses the server for the first time, and is unique to each client. This ID is usually the one named JSESSIONID. Cookies.

How does Session work based on Cookie? It can be based on URL Path Parameter; it can also be based on Cookie. If the Cookies identifier in the Context container is not modified, it is supported by default. When the browser does not support the Cookie function, the browser will rewrite the user's SessionCookieName into the URL parameters requested by the user, and its delivery method is such as /path/Servlet;name=xxx;name2=xxx2?name3=xxx3. SessionCookieName If the session-config configuration item is configured in web.xml, the name attribute under cookie-config is the value of this SessionCookieName. If the session-config configuration item is not configured, the default SessionCookieName is "JSESSIONID". Note that the cookie associated with the Session is no different from other cookies. If the client also supports Cookies, Tomcat will still parse the Session ID in the Cookie and will overwrite the Session ID in the URL.

How Session works

　　有了Session ID，服务器就可以创建HttpSession对象了，第一次调用request.getSession()方法，如果没有对应的HttpSession对象，则会创建一个新的，并将这个对象加入到org.apache.catalina.Manager的sessions容器中保存。Manage保存所有的session生命周期，Session过期被回收，服务器关闭，Session被序列化到磁盘。注意，一个客户端对应一个Session对象，这个对象正是保存我们创建的Session值的。

　　request.getSession()方法调用的StandardSession永远都会存在，即使与这个客户端关联的Session已经过期。如果过期，则会创建一个新的，但是以前设置的Session值将会丢失。

3 Cookie与Session安全性比较

　　Cookie将保存的数据通过HTTP头部从客户端传到服务端，从服务端再传回到客户端，所有的数据都保存在客户端浏览器中，这些数据都是可以访问到的，甚至可以通过插件添加、修改Cookie，所有Cookie的安全性是比较差的。相比较而言，Session将数据保存在服务器端，安全性高很多，只需要Cookie传回一个Cookie ID就可以，所以Session更适合保存用户隐私和重要的数据。

分布式Session框架

　　在大型互联网应用中，单用Cookie和Session都是不可行的，因为如果使用Cookie可以很好地解决应用的分布式部署问题，大型互联网应用系统一个应用有上百台机器，而且有很多不同的应用系统协同工作，由于Cookie是将数据存储在用户浏览器中，用户每次访问都会讲数据带回到服务器，也就解决了同一个用户的请求在不同服务器上处理而导致的Cookie不一致问题。

　　由于应用是一个集群，所以不能将Session都保存在每台服务器的内存中，如果每台服务器有几十万访问用户，服务器内存也容不下，即使容得下，也无法保证该Session同步到其他服务器中，所以共享这些Session需要将它们保存在专门的分布式缓存中，可以随时读取和写入，性能要够好满足要求，如memcache/redis或者淘宝的开源分布式框架Tair都是很好的选择。

表单重复提交问题

　　网站中有很多地方有重复提交表单问题，为了防止表单重复提交，就要标识用户的每一次访问请求，使得每一次访问请求对服务端来说都是唯一的，为了标识用户的每次请求，可以在用户请求的表单域增加一个隐藏表单项，其值为唯一的token，如：

<form id="form" method="post">
...
<input type=hidden name="token" value="xxx"/>
</form>

　　用户请求表单时生成唯一的token，并且设置到该用户的Session中，等用户提交时检测这个token是否和Session中保存的token一致，如果一致，说明没有重复提交，同时把Session中的token更新成一个新的token值；否则用户提交上来的token已经不是当前请求的合法token，提交失败。

以上所述是小编给大家介绍的Things about Cookie and Session in Java，希望对大家有所帮助，如果大家有任何疑问请给我留言，小编会及时回复大家的。在此也非常感谢大家对PHP中文网的支持！

更多Things about Cookie and Session in Java相关文章请关注PHP中文网！