what is jsessionid

jsessionid is a Cookie. You can pass "session id" by adding ";jsessionid=xxx" after the URL; the Servlet container is used to record the user session and will be automatically created when we create a reply. Use To record user access records.

First of all, JSESSIONID is a Cookie, which is used by the Servlet container (tomcat, jetty) to record user sessions.

When to plant JSESSIONID

When creating a session, that is, when request.getSession() is called, there is no information about getSession. said. A few additional points are that accessing html will not create a session. JSP pages will create sessions by default. You can turn off automatic session creation in the JSP page.

JSESSIONID working principle:

URL rewriting

The server creates a session in memory and requires a cookie. In addition to setting Set- in the request header In addition to cookies, containers such as tomcat have a URL rewriting mechanism. This mechanism is a cover-up strategy when the client cookie is unavailable. By adding; jsessionid=xxx after the URL, the session id is passed, so that the availability of the session can be guaranteed even when the cookie is unavailable. However, the session is exposed in the URL and itself is It’s not safe. The basic online opinions here are consistent

But the most critical question is, how does tomcat know that the client cookie is not available. I imported tomcat's source code debugging trace in idea. There are some differences in different versions, but it should be roughly the same.

Tomcat has a org.apache.catalina.connector.Response which is the implementation class of Response. There are two methods to do it. URL rewriting, respectively, encodeRedirectURL and encodeURL, encodeRedirectURL will be called when redirecting, encodeURL seems to be called manually, so by default, URL rewriting will only occur when redirecting. The codes of the two methods are similar. The following only focuses on encodeRedirectURL

/**
     * Encode the session identifier associated with this response
     * into the specified redirect URL, if necessary.
     *
     * @param url URL to be encoded
     * @return true if the URL was encoded
     */
    @Override
    public String encodeRedirectURL(String url) {
        if (isEncodeable(toAbsolute(url))) {
            return (toEncoded(url, request.getSessionInternal().getIdInternal()));
        } else {
            return (url);
        }
    }

. The method comments are clearly written. If necessary, insert the session id into the redirected URL. Let’s take a look at the isEncodeable method again. I added Chinese comments

/**
     * Return true if the specified URL should be encoded with
     * a session identifier.  This will be true if all of the following
     * conditions are met:
     * 

     * 
The request we are responding to asked for a valid session
     * 
The requested session ID was not received via a cookie
     * 
The specified URL points back to somewhere within the web
     *     application that is responding to this request
     * 
     *
     * @param location Absolute URL to be validated
     * @return true if the URL should be encoded
     */
    protected boolean isEncodeable(final String location) {
        if (location == null) {
            return false;
        }
        // Is this an intra-document reference?
        if (location.startsWith("#")) {
            return false;
        }
        // Are we in a valid session that is not using cookies?
        final Request hreq = request;
        final Session session = hreq.getSessionInternal(false);
        if (session == null) {
            return false;
        }
        //这里其实就是网上说的客户端禁用Cookie
        if (hreq.isRequestedSessionIdFromCookie()) {
            return false;
        }
        // Is URL encoding permitted
        // servlet3.0后可以在项目web.xml里关掉URL重写，对应tomat7之后
        if (!hreq.getServletContext().getEffectiveSessionTrackingModes().
                contains(SessionTrackingMode.URL)) {
            return false;
        }
        if (SecurityUtil.isPackageProtectionEnabled()) {
            return (
                AccessController.doPrivileged(new PrivilegedAction() {
                @Override
                public Boolean run(){
                    return Boolean.valueOf(doIsEncodeable(hreq, session, location));
                }
            })).booleanValue();
        } else {
            //这个方法会重写URL
            return doIsEncodeable(hreq, session, location);
        }
    }

in key places, which calls isRequestedSessionIdFromCookie of the Request object to determine whether the client cookie is available. The logic inside is also very simple, which is to read whether the JSESSIONID cookie is passed in the request. . So some people on the Internet say that it is the first time to visit. In fact, as long as the client does not pass JSESSIONID, tomcat assumes that the cookie is not available

The above is the detailed content of what is jsessionid. For more information, please follow other related articles on the PHP Chinese website!