Java EE session mechanism

Java EE session mechanism

HTTP protocol:

before you talk about the session, you must say the HTTP protocol, HTTP is a client and server-side request and response Standard (TCP). A request is initiated by HttpClient to establish a TCP connection to the server that specifies port (by default, 80port). Httpserver in that port to listen to the client sent over the request. Once the request is received, the server (to the client) sends back a status line, such as "http/1.1200 OK", and (in response) message, the message body may be the requested file, error message, or some other information.

that is , the HTTP protocol is a stateless hold function, so we say that our session mechanism is to save the corresponding browser identification function.

Session Technology:
1, what is session (conversation)
A state management technique that maintains user state on the server side, in fact the process: when the browser sends you a text server, the server creates an object (called the Session object).
The object has a unique ID number (called SessionID), and then, by default, the server uses cookie technology to send SessionID to the browser.
The next time the browser visits the server, it will bring SessionID to the server. The server finds the corresponding session object based on the SessionID (the user's state can be written to the session object).
2, how do I create a Session object?
1), Httpsessionsession =request.getsession ();//server creates a session object that conforms to the standard definition of the Httpsesion interface
2), Httpsessionsession = Request.getsession (Boolean flag);
When flag is true:
The browser sends a request to Server,server to see if there are any sessionid in the request, and if not, creates a session object;
If so, it depends on whether the session object to be found still exists (for some reason, for example, the timeout limit, the server will delete the Session object), there is a return; Create a new object if it does not exist
When flag is false:
The browser sends a request to Server,server to see if there are any sessionid in the request, and if not, returns a null;
If so, it depends on whether the session object to be found still exists (for some reason, for example, the timeout limit, the server will delete the Session object), there is a return, if it does not exist, return a null
3), Httpsessionsession =request.getsession ();Equivalent toHttpsessionsession = Request.getsession (true);
The frequent usage in 3,session
Session.setattribute (Stringname,object obj);
Objectsession.getattribute (String name);//general need to get post-transformation
Session.removeattribute (Stringname);//Remove a property
Stringsession.getid ();
4, set the maximum inactivity time of the sesion
Session.setmaxinactiveinerval (Intseconds);
Session.invalidate ();//Make it immediately void
5, use the configuration file, set the session expiration time,
Mode one, setting the configuration expiration time for the entire server, which affects all applications on the server. Tomcat default 30 minutes
Tomcat_home/conf/web.xml
<session-config>
<session-timeout>30</session-timeout>
</session-config>
Mode Two, configure the expiration time for a specific application
Only need to change web. xml
<session-config>
<session-timeout>30</session-timeout>
</session-config>
6, Examples:
A, session validation for the page to be protected
Validation of Session:
1, after successful login, write data to do a session property to join
<%
Session.setattribute ("user", user);
%>
2. Add session validation code to the page you want to protect
<%
Objectobj = Session.getattribute ("user");
if (null== obj) {
Response.sendredirect ("login.jsp");
}
%>
3, for security reasons (sometimes the browser is not closed, the session is still there), do a safe exit
Httpsessionsession = Request.getsession ();
Session.invalidate ();//Make it invalid
Response.sendredirect ("login.jsp");
B, Shopping Cart
Product: Products
Idlong,
Modelstring,
Picnamestring,
Prodescstring,
pricedouble;
Cartitem: Product Articles
Productproduct,
Quantityint;
Cart: Shopping Cart
Itemslist<cartitem>,
Booleanadd (Cartitem Item),
List<cartitem>list (),
Delete (LongId),
Clear (),
Modify (longid, int quantity),
Doublecost ();
7, suppose the user prohibits the cookie, how to implement the session mechanism? (How to implement SessionID tracking)
Using URL rewriting mechanisms:
Suppose the Web component (JSP or Servelt) to be visited requires the support of the session mechanism (the object used in the session),
However, the browser does not allow the cookie technology, you can not directly in the address bar to enter the Web Component to access the customization, and to use the server generated address,
Instead, you should use an address generated by the server (the address will carry SessionID)
How do I generate an address that carries SessionID?
A. For links, form submissions, use Response.encodeurl ("URL address").
For example: <ahref= "<%=response.encodeurl (" url ")%>" ></a>
B. For redirection, use Response.encoderedirecturl ("URL address").
Analogy: Response.sendredirect (response.encoderedirecturl ("URL address"));
C. For forwarding, no need to consider, due to the jump inside the server, do not need to interact with the browser, do not consider

Session mechanism schematic diagram:

Source: http://blog.sina.com.cn/s/blog_6c21f6480100vllc.html

Java EE session mechanism