Detailed explanation of Java servlet graphic code on the working principle of session

This article mainly introduces the working principle of servlet session. The editor thinks it is quite good. Now I will share it with you and give it as a reference. Let’s follow the editor to take a look

To understand the underlying working principle of Session. Let’s first look at the situation where the same browser accesses multiple web resources during a session. It can be roughly divided into the following steps:

1. The browser accesses a certain Servlet. , at this time, if the server wants to obtain the Session object from the request object (the first acquisition is also created), then the server will create an id for this Session object: JSESSIONID

2, and at the same time, the browser During the response process, this Session will send the id JSESSIONID back to the client browser in the form of a cookie. Remember, the cookie server does not have a valid time set at this time, so it is stored in the browser's cache, not in the hard disk file.

3. When the user continues to access other Servlets during this session, the Servlet will obtain the Session object from the request object. Note that obtaining the Session object at this time is a request sent from the browser. Query whether there is a cookie named JSESSIONID. If there is, then the Session does not need to be created again, but directly queries the Session with the same JSESSIONID value in the server. In other words, the data that previously existed in the Session can be obtained.

In summary, Session is based on Cookie.

(Note: Cookies are not omnipotent. Session first relies on cookies, but sometimes cookies cannot be used. At this time, Session will check whether the URL address sent by the request has JSESSIONID.)

Session’s hidden cookies, we can do a small experiment to verify it. Create two Servlets under the [myservlet] web project, named SessionDemo1 and SessionDemo2 respectively:

The code in SessionDemo1 is:

##

   HttpSession session = request.getSession();
   String data = "Message from SessionDemo";
   session.setAttribute("data", data);

The code in SessionDemo2 is:

   HttpSession session = request.getSession();
   System.out.println((String)session.getAttribute("data"));

We are here Open HttpWatch in the browser to access SessionDemo1. Since this is the first time to access the Servlet, check the response from SessionDemo1 to the browser:

The server sends it back to the browser There is a cookie with this JSESSIONID name. At this time, if we access SessionDemo2 in the opened browser, then observe the content of the request packet in HttpWatch and find:

When accessing the server again, the browser will bring this cookie named JSESSIONID to the server. The server uses the JSESSIONID value in this cookie to find the Session previously created for the browser in the server.

If we close the browser, since this cookie does not have "setMaxAge" set, this cookie only exists in the browser's buffer and will be destroyed when the browser is closed. If we want the Session to still exist after closing the browser, we must manually overwrite the Session cookie and set the validity time and effective path of the override cookie.

The value of this cookie, which is the value of JSESSIONID, can be obtained through the getId() method of Session.

1, override valid time:

Note that after the server creates a Session for the browser, it will not be operated by the user. It will be maintained for 30 minutes by default next time (or after the browser is closed). This can be seen from Tomcat's [web.xml] file:

Of course, we can also modify the server's default destruction of no-operation Session from here. time.

Of course, if we do not want to globally set the destruction time of Session in all servers, we can customize 2154b31975826eec7c9ecbf8f296fb33 and 5c4fd042cdc201e4b91ff27da471017b to set.

Note: We can also destroy a Session immediately through the invalidate() method of the Session object.

In this regard, if we want to overwrite a Session cookie and save it in a hard disk file, the cookie validity time we set should not exceed the server's default session-timeout time.

2, overwrite the effective path:

#If we create a Cookie object and do not set "setPath", then the effective path of the Cookie is to create The cookie's program (usually a Servlet), that is, the browser will carry the cookie with it only when this program is accessed. That is really "unconnected", and the Session cannot be used to access other resources of this web application.

Let’s take a look at the effective path of the cookie in the Session created by the server for the browser when the Servlet was accessed for the first time:

可以看到这个服务器默认将JSESSIONID这个cookie的有效路径设置为创建这个Session的web工程根目录。所以我们要覆盖Session中的cookie时也应该设置路径为该web工程根目录。

好，接下来对上面那个Servlet的例子进行改造，我们只需要在SessionDemo1中修改就行，因为这个首次将Session的cookie返回给客户端，修改后代码如下：

   HttpSession session = request.getSession();
   String data = "Message from SessionDemo";
   session.setAttribute("data", data);
     
   Cookie cookie = new Cookie("JSESSIONID", session.getId());
   cookie.setMaxAge(30*60);
   cookie.setPath("/myservlet");
   response.addCookie(cookie);

这样，当我们打开浏览器访问了SessionDemo1之后，就能在存放cookie的目录中找到该cookie，如果我们通过HttpWatch来查看可以看到重名的这个cookie：

虽然JSEESIONID这个cookie重名了，没有关系，因为其值都是一样的，并且如果我们将浏览器关闭后，没有设置cookie有效时间的（也是原先Session发来的）cookie将不复存在(存在浏览器缓存中，浏览器关闭就被销毁)，这时重新打开一个浏览器，再去访问SessionDemo2依然能获取到原来Session中保存的内容：

注意，这是另外打开浏览器窗口访问的SessionDemo2！！另附：

通过这里我们可以看到，我们人为地将原先Session定义的cookie给替换了，而Session并不知道，只要能获得“JSESSIONID”这个cookie，它就认为cookie是存在的，可以从这个cookie中id值获取以前保存的信息，因此我们实现了一台主机共享一个Session，此时，当浏览器关闭，或者说结束一个会话后，依然能获取Session来获取之前保存的数据。

The above is the detailed content of Detailed explanation of Java servlet graphic code on the working principle of session. For more information, please follow other related articles on the PHP Chinese website!