The life cycle of the session

Session stored on the server side, generally stored in the server's memory (for high-speed access), Sessinon when the user first access to the server created, need to be aware that only access to the JSP, servlet and other programs will be created session, only access to HTML, Static resources such as image do not create a session, and call Request.getsession (true) to force a session to be generated.

　　When does the session expire?

1. The server clears a session that has not been active for a long time from the server memory, and the session expires. The default expiration time for a session in Tomcat is 20 minutes.

2. Call the Invalidate method of the session.

session Requirements for browsers:

　　Although the session is saved on the server and is transparent to the client, it still needs the support of the client browser for its normal operation. This is because the session needs to use a cookie as the identification mark. The HTTP protocol is stateless, and the session cannot determine whether it is the same client based on an HTTP connection, so the server sends a cookie named Jsessionid to the client browser. Its value is the ID of the session (that is, the return value of Httpsession.getid ()). The session is based on the cookie to identify whether it is the same user.

The cookie is automatically generated by the server, and its MaxAge property is typically-1, which means that only the current browser is valid, and the browser windows are not shared, and the browser is disabled. Therefore, when the server is accessed by two browser windows of the same machine, two different sessions are generated. However, new windows that are opened by links, scripts, and so on in the browser window (that is, not by double-clicking on Windows that are open by desktop browser icons). Such sub-Windows share a parent window's cookie, so a session is shared.

　　Note: The newly opened browser window will generate a new session, except for the child window. The child window will share the session of the parent window. For example, when you right-click on a link and select Open in New window in the popup shortcut menu, the child window can access the session of the parent window.

What if the client browser disables the cookie feature or does not support cookies? For example, most mobile browsers do not support cookies. The Java Web provides another solution: URL-Address rewriting.

URL address Rewriting is a solution that does not support cookies for clients. The principle of URL address rewriting is to rewrite the ID information of the user session to the URL address. The server is able to parse the rewritten URL to get the session ID. This allows you to use the session to record user status even if the client does not support cookies. The HttpServletResponse class provides encodeurl (String URL) Implementation URL rewrite, This method automatically determines whether the client supports cookies. If the client supports cookies, the URL is output intact. If the client does not support cookies, the ID of the user session is rewritten into the URL.

　　Note: Tomcat determines whether the client browser supports cookies based on whether the request contains cookies. Although the client may support cookies, no cookie will be brought with the first request (because there is no cookie to carry), and the address after the URL address is rewritten is still jsessionid. The server has already written a cookie in the browser when the second visit is made, so the address in the URL address rewrite will not be jsessionid.

The life cycle of the session