What is jsp/servlet session

The whole process from the client opening a connection to the server, making a request until the server responds to the client's request is called a session.

Recommended course: Java Tutorial.

The communication between the browser and the server is through the HTTP protocol, and the HTTP protocol is a "stateless" protocol. It cannot save customer information, that is, The connection is disconnected after a response is completed, and the next request needs to be reconnected. When a user switches between multiple pages on the same website, it is impossible to determine whether it is the same customer. Session tracking technology can achieve this requirement. .

Cookie

When the server responds to a request, it can save some data on the client in the form of "key-value" pairs through the response information. When the browser accesses the same application again, the original cookie with the session ID will be brought to the server through request information. The network server represents each client by identifying the unique session ID, thereby identifying the next step of this client. request.

Cookie is not a built-in object, you need to create an instance of Cookie yourself. It is a piece of text information written by the server to the client. This information can be modified, so generally the cookie will store some non-sensitive information. When the client requests the server again, the cookie will be sent to the server in the form of a request header. At this time, the server can distinguish who is accessing.

Cookies used for session tracking are called session cookies. The cookie name for session tracking in the Servlet specification must be JSESSIONID, which is stored in the browser's memory.

Cookies can be used to maintain the user's session state, but cookie information is stored on the client, which poses a major security risk, and general browsers have strict limits on the number of cookies and data size. In Web applications, generally the session state is maintained through the HttpSession object

Cookie cookie = new Cookie("键", "值");       //创建cookie
cookie.setMaxAge(60*60*24);                 //设置cookie的有效期
cookie.setPath("/");                        //设置cookie的有效范围（路径）
response.addCookie(cookie);                 //将cookie写入到客户端

Session

Session is stored on the server side, which is more secure. Each user has a different session, which cannot be shared between users.

Session relies on Cookie. If Cookie is disabled, the session will also be invalid.

Session technology is a server-side solution, which maintains state through the server. In Java it is created by calling the getSession method of HttpServletRequest (using true as parameter). When creating a Session, the server will generate a unique Session id for the Session, and this Session id will be used to regain the created Session in subsequent requests; after the Session is created, you can call the Session-related The method adds content to the Session, and these contents will only be saved in the server, and only the Session id is sent to the client; when the client sends a request again, it will bring this Session id, and the server will Find the corresponding Session based on the Session id and use it again. By formalizing such a process, the user's status is maintained.

session.setAttribute(String name,Object obj);       //往session中存放内容（通过键和值的形式）
session.getAtrribute(String name);                  //通过键从session中获取内容
session.removeAttribute(String name);               //把存储在session中的对象移除
session.invalidate();                               //销毁session

Hidden form field

Hidden form field is to add the session ID to the hidden form of HTML (type hidden input). Redirection and forwarding

Transmit information through . It is submitted to the server through a form, but does not display itself.

For example, the second form obtains the content of the first form, accepts the content of the first form as a hidden field (text box type is hidden), and passes it to the third form again. middle. In layman's terms, the order of requests is as follows: Form 1 - - > Form 2 - - > Form 3. However, Form 3 needs to use the content submitted by Form 1, so Form 2 will be needed as a transition. The content is saved as a hidden field before being passed to form three.

Rewrite URL

Encode the session ID in the URL. Example: counter.jjsp;jsessionnid=be8d697876787876befdbde898789098980 In this way, session tracking can be achieved even if the browser does not support cookies.

For URL replication, the server extracts the session ID from the requested URI and associates the request with the corresponding session. Then when accessing the session data, the JSP page is processed in the same way as using Cookies track session IDs in exactly the same way. Therefore, the implementation of session depends on cookie or URL copying technology.

String sessionId = request.getRequestedSessionId();     //获得sessionId

Implement URL value rewriting through the encodeURL (StringURL) of the response object:

<a href="<%=response.encodeURL("index.jsp") %>"> 
    index页面</a>

This method will automatically determine whether the client supports Cookie. If the client supports cookies, the URL will be output intact. If the client does not support cookies, the encodeURL() method will be called and the user's Session ID will be automatically rewritten into the URL. The output after rewriting may be like this:

a href="index.jsp?jsessionid=0E0C61100AEB06DE6A95EB1CD1DA8158">index页面</a>

The HttpServletResponse interface defines two methods for URL rewriting:

encodeURL method, used for hyperlinks Rewrite the URL set in the action attribute of the form form

encodeRedirectURL method is used to rewrite the URL passed to the HttpServletResponse.sendRedirect() method

They decide whether to perform url rewriting based on whether the request message contains the Cookie header field. By passing the URL as a parameter to these two methods, they can complete the url rewriting and add the jsessionid parameter and its value after the url. You can turn off the browser's cookies, and then conduct an experiment to check whether there is a jsessionid parameter and its value behind the URL in the web page source file.

The above is the detailed content of What is jsp/servlet session. For more information, please follow other related articles on the PHP Chinese website!