JSP's understanding of request. getsession (false) (with a vulnerability that programmers often neglect)

[Previous]
I often see people asking questions about request. getsession (false) on the Internet. I am also confused for the first time. I read j2ee1.3 API and how it is explained on the official website.
[Official explanation]
Getsession
Public httpsession getsession (Boolean create)
Returns the current httpsession associated with this request or, if there is no current session and create is true, returns a new session.
If create is false and the request has no valid httpsession, this method returns NULL.
To make sure the session is properly maintained, you must call this method before the response is committed. if the container is using cookies to maintain session integrity and is asked to create a new session when the response is committed, an illegalstateexception is thrown.
Parameters: true-to create a new session for this request if necessary; false to return NULL if there's no current session
Returns: The httpsession associated with this request or null if create is false and the request has no valid session
Translation:
Getsession (Boolean create) means to return the httpsession in the current reqeust. If the httpsession in the current reqeust is null and the create statement is true, a new session is created. Otherwise, null is returned;
In short:
Httpservletrequest. getsession (ture) is equivalent to httpservletrequest. getsession ()
Httpservletrequest. getsession (false) is equivalent to null if the current session does not exist;
[Problems and bugs ]:
Many colleagues around me write this statement; CopyCode The Code is as follows: httpsession session = request. getsession (); // a new session created if no session exists, haha! Finished! If the session does not exist, you create another one!
String user_name = session. getattribute ("user_name ");

Please note that the request. getsession () is equivalent to request. getsession (true), unless we confirm that the session exists or the sesson does not exist, we explicitly need to create the session, otherwise we should try to use the request. getsession (false ). When the request. getsession () function is used, it is usually used to check whether a variable or tag is stored in the session in the action. In this scenario, no session may exist. The normal judgment should be as follows:Copy codeThe Code is as follows: httpsession session = request. getsession (false );
If (session! = NULL ){
String user_name = session. getattribute ("user_name ");
}

[Opportunistic ]:

If spring is used in the project (in fact, spring is a good choice as long as it is a slightly larger Java project), it is much easier to operate sessions. You can use webutils (Org. springframework. web. util. webutils) getsessionattribute (httpservletrequest request, string name) method. Let's look at the highly handwritten source code: Haha .. copy Code the code is as follows: /**
* Check the given request for a session attribute of the given name.
* returns NULL if there is no session or if the session has no such attribute.
* does not create a new session if none has existed before!
* @ Param request current HTTP request
* @ Param name the name of the session attribute
* @ return the value of the session attribute, or null if not found
*/
Public static object getsessionattribute (httpservletrequest request, string name) {
assert. notnull (request, "request must not be null");
httpsession session = request. getsession (false);
return (Sessi On! = NULL? Session. getattribute (name): NULL);
}

Note: assert is a tool in the spring toolkit used to determine some verification operations. In this example, it is used to determine whether reqeust is null. If it is null, an exception is thrown.
The code above can be concise:Copy codeThe Code is as follows: httpsession session = request. getsession (false );
String user_name = webutils. getsessionattribute (reqeust, "user_name ");

Source: http://blog.csdn.net/xxd851116