How is httpsession implemented in Java?

The HTTP protocol (http://www.w3.org/Protocols/) is a "one-way" protocol.
The server cannot actively connect to the client and can only passively wait and reply to the client request. The client connects to the server, issues an HTTP request, the server processes the request, and returns an HTTP Response to the client, which ends the HTTP request-response cycle.
We see that the HTTP protocol itself does not support server-side saving of client state information. As a result, the concept of session is introduced in Web server to hold the client's state information.
Here, an image metaphor is used to explain how the session works. Suppose that Web server is a store's storage, HTTP request is a customer, the first time to the storage, the administrator put the customer's belongings in a certain cabinet (this cabinet is equivalent to a session), and then put a number of cards to the customer, As a package voucher (this number is the session ID). The next time the customer (HTTP Request) comes in, the number card (Session ID) will be given to the Administrator of the Depository (Web Server). The administrator finds the corresponding cabinet (session ID) according to the number plate (session), according to the request of the customer (HTTP request), the Web server can remove, replace, add items in the cabinet (session), the Web The server can also invalidate the counter (Session) of the customer (HTTP Request) with the number and number plates. The doctor became of the customer (HTTP Request) is very large, and the administrator will re-remind the customer to remember their number (Session ID) when the customer goes back (http Response). The next time the customer (HTTP Request) comes in, it comes back with the number card.
We can see that the Session ID is actually transmitted between the client and the server via HTTP request and HTTP response.
We see that the number plate (Session ID) must be included in the HTTP request. For the exact format of the HTTP request, see HTTP protocol (http://www.w3.org/Protocols/). Here is a simple introduction. In Java WEB Server (that is, servlet/jsp server), the Session ID is represented by Jsessionid (see servlet specification).
HTTP request is typically made up of 3 parts:
(1) Request line
This line consists of HTTP Method (such as Get or post), URL, and HTTP version number.
For example, GET http://www.w3.org/pub/WWW/TheProject.html http/1.1
GET Http://www.google.com/search?q=Tomcat http/1.1
POST Http://www.google.com/search http/1.1
GET http://www.somsite.com/menu.do;jsessionid=1001 http/1.1

(2) Request Headers
This section defines some important header information, such as the type of browser, language, and type. The definition of a cookie can also be included in the Request headers. For example:
user-agent:mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Accept-language:en-us
cookie:jsessionid=1001

(3) Message Body
If the HTTP method is get, then the message body is empty.
If the HTTP method is post, the HTTP request is the result of a submit HTML form,
Then the message body is the input attribute defined inside the HTML form. For example
User=guest
Password=guest
jsessionid=1001
Note that if you change the method property of the HTML form element to get. Then, the Message body is empty, and all the input attributes are appended to the URL. You will see these properties in the URL address bar of your browser, similar to the
http://www.somesite/login.do?user=guest&password=guest&jsessionid=1001

Theoretically, these 3 parts (Request url,cookie Header, Message Body) can be used to hold the session ID. Because the message body method must require an HTML Form containing the session ID, this method is not generic.
There are two common ways to implement a session:
(1) URL rewrite.
When WEB server returns to response, it checks all URLs on the page, including all connections, and the Action property of the HTML form, followed by "; Jsessionid=xxx".
Next time, the user accesses the URL in this page. Jsessionid will be passed back to Web Server.
(2) Cookies.
If the client supports Cookie,web server when returning response, in the header section of response, add a "set-cookie:jsessionid=xxxx" header property, Put the jsessionid in a cookie and upload it to the client.
The client places the cookie in a local file, and the next time it accesses the Web server, it puts the cookie information into the "cookie" header attribute of the HTTP request so that the Jsessionid with the HTTP Request is returned to Web Server.

Let's see how TOMCAT5 's source code supports Jsessionid.
The toencoded () method of the Org.apache.coyote.tomcat5.CoyoteResponse class supports URL rewriting.

String toencoded (string url, string sessionId) {...        StringBuffer sb = new StringBuffer (path);        if (sb.length () > 0) {//Jsessionid can ' t be first.            Sb.append ("; jsessionid=");            Sb.append (sessionId);        }        Sb.append (anchor);        Sb.append (query);        Return (sb.tostring ());}

Let's take a look at Org.apache.coyote.tomcat5.CoyoteRequest's two ways Configuresessioncookie ()
Dogetsession () supports jsessionid with cookies.

/**   * Configures the given Jsessionid cookie.   *   * @param cookie the Jsessionid cookie to be configured   *    /protected void Configuresessioncookie (Cookie Cook IE) {       ...    }    HttpSession dogetsession (Boolean create) {      ...        Creating a new session cookie based on that session        if (session! = NULL) && (GetContext ()! = null)               & amp;& GetContext (). GetCookies ()) {            Cookie cookie = new Cookie (globals.session_cookie_name,                                       Session.getid ());            Configuresessioncookie (cookie);            ((httpservletresponse) response). Addcookie (cookie);        }      ...    }

The typical application of the session is to store the user login information, such as user name, password, permission role and other information, the application (such as email service, internet banking and other systems) based on this information authentication and authorization authentication

How is httpsession implemented in Java?