HTTP Session, cookie mechanism detailed

What is the HTTP session, what is the use of

The HTTP protocol itself is stateless and does not natively support the server to hold the client's state information, so the concept of session is introduced in Web server to hold the client's state information.

Here, an image metaphor is used to explain how the session works. Suppose that Web server is a store's storage, HTTP request is a customer, the first time to the storage, the administrator put the customer's belongings in a certain cabinet (this cabinet is equivalent to a session), and then put a number of cards to the customer, As a package voucher (this number is the session ID). The next time the customer (HTTP Request) comes in, the number card (Session ID) will be given to the Administrator of the Depository (Web Server). The administrator finds the corresponding cabinet (session ID) according to the number plate (session), according to the request of the customer (HTTP request), the Web server can remove, replace, add items in the cabinet (session), the Web The server can also invalidate the counter (Session) of the customer (HTTP Request) with the number and number plates. The doctor became of the customer (HTTP Request) is very large, and the administrator will re-remind the customer to remember their number (Session ID) when the customer goes back (http Response). The next time the customer (HTTP Request) comes in, it comes back with the number card.
We can see that the Session ID is actually transmitted between the client and the server via HTTP request and HTTP response.

There are two methods commonly used to implement the session ·

1) URL rewrite.
When WEB server returns to response, it checks all URLs on the page, including all connections, and the Action property of the HTML form, followed by "; Jsessionid=xxx".
Next time, the user accesses the URL in this page. Jsessionid will be passed back to Web Server.

2) cookies.

If the client supports Cookie,web server when returning response, in the header section of response, add a "set-cookie:jsessionid=xxxx" header property, Put the jsessionid in a cookie and upload it to the client.

The client places the cookie in a local file, and the next time it accesses the Web server, it puts the cookie information into the "cookie" header attribute of the HTTP request so that the Jsessionid with the HTTP Request is returned to Web Server.

Third, the working principle of the session1) When a user sends the first request to the server, the server establishes a session for it and creates an identification number for the session;

2) All subsequent requests by this user should include this identification number. The server will proofread the identification number to determine which session the request belongs to.

This mechanism does not use IP as the identity, because many machines are online through a proxy server, unable to distinguish each machine.

There are two ways to implement the session identification number (SessionID): Cookies and URL rewriting.

Iv. Summary of HttpSession1, the HTTP protocol itself is a "connection-request-answer-close connection" mode, is a stateless protocol (HTTP is only a transport protocol);
2, the cookie specification is in order to add status tracking for HTTP (if you want to accurately grasp, it is recommended to carefully read the relevant RFC), but not the only means;
3, the so-called session, refers to the client and the service side of the interaction between the process of state information (data); how this state is defined, how long the life period, this is the application itself things;
4, because the B/s calculation model is completed on the server side, the client has only simple display logic, so the session data should be transparent to the client is not understandable and should be controlled by the service side; The session data is either saved to the service side (HttpSession), Either pass between the client and the server (cookie or URL rewritting or hidden input);
5, because of the stateless nature of the HTTP itself, the server can not know that the client has sent the request is from a customer, so when using the server HttpSession storage session data, each client request should contain a session of the identity (SID, Jsessionid, etc.) to tell the server;
6. The advantage of saving session data on the server (such as httpsession) is to reduce the length of the HTTP request and improve the network transmission efficiency; The client session Information store is the opposite;
7, the client session storage only one way: the cookie (URL rewritting and hidden input because cannot be persisted, does not count, only as the Exchange session ID, namely a method of session tracking , and the service-side approach is basically the same: the container has a session manager (such as the class inside Tomcat's Org.apache.catalina.session package) that provides the session lifecycle and persistence management and provides access to session data Api
8, using the server or client session storage to see the actual situation of the application. In general, users are not required to sign in to the public service system (such as Google) to use cookies for client session storage (such as Google's user preferences), while the user-managed system uses server-side storage. The reason is obvious: No user login system can only identify users of the user's computer, for a machine do not know who is who, server session storage is no use, and the user management system can be used to manage the user's personal data, so as to provide arbitrary complex personalized services;
9, the client and server session storage in performance, security, cross-site capabilities, programming convenience and other aspects have a certain difference, and the pros and cons are not absolute (for example, Theserverside claims not to use httpsession, so the performance is good, This is obvious: a system with hundreds of millions of access users, to retrieve the user's preference information in the server database is obviously inefficient, the session manager no matter what data structure and algorithm are consuming a lot of memory and CPU time, and using cookies, Do not have to retrieve and maintain session data at all, the server can be made stateless, of course, efficient);
10, the so-called "session cookie" simply means that there is no explicit expiration of the cookie, only in the browser's current process life time, can be removed by subsequent set-cookie operations. When a program needs to create a session for a client's request, the server first checks to see if a session ID is included in the client's request-called the session ID. If it contains a session The ID indicates that the session was previously created for this client, and the server retrieves the session using the session ID (if it is not retrieved, it may create a new one) if the client request does not include the session ID. Creates a session for this client and generates a session Id,session ID value associated with this session should be a string that is neither duplicated nor easily found to mimic the pattern, this session The ID will be returned to the client in this response to be saved. This session ID can be saved by using a cookie, so that the browser can automatically play the logo to the server during the interactive process. Generally the name of this cookie is similar to Seeesionid. v. When the session was created and when it was deleted when to create:A common misconception is that the session is created when there is client access, but the fact is that it is not created until a statement such as Httpservletrequest.getsession (true) is called by a server-side program, and note that if the JSP does not display the use <% @page session= "false"%> the session is closed, the JSP file is automatically translated into a servlet with such a statement HttpSession session = Httpservletrequest.getsession (true); This is also the origin of the hidden session object in JSP. Because the session consumes memory resources, if you do not intend to use the session, you should close it in all JSPs. when to delete:A. Program call Httpsession.invalidate (); b. The time interval of the session ID sent by the client last received exceeds the timeout setting of the session; C. The server process is stopped (non-persistent session) How do I delete cookies when the browser is closed? Strictly speaking, do not do this. One way to do this is to use JavaScript code window.oncolose on all client pages to monitor the browser's closing action, and then send a request to the server to delete the session. But there is still nothing to do with the unconventional means of a browser crash or a forced kill process. Vi. Other issues of the session 1. Must the object stored in the session be serializable? are not required. Requires that the object be serializable only for the session to be replicated in the cluster or to be persisted or, if necessary, the server can swap the session out of memory temporarily. 2, how to properly deal with the possibility of the client to prohibit cookiesUse URL overrides for all URLs, including hyperlinks, form action, and redirected URLs 3, open two browser window access to the application will use the same session or a different session Vii. Understanding the cookie mechanism1) The rationale for the cookie mechanism is as simple as the example above, but there are several issues to be solved: how to distribute the membership card, the content of the membership card, and how the customer uses the loyalty card. 2) Orthodox cookie distribution is implemented by extending the HTTP protocol, and the server prompts the browser to generate the appropriate cookie by adding a special line of instructions to the HTTP response header. However, purely client-side scripts such as JavaScript or VBScript can also generate cookies. 3) The use of cookies is automatically sent to the server in the background by the browser in accordance with certain principles. The browser checks all stored cookies and, if a cookie declares a scope greater than or equal to the location of the resource to be requested, sends the cookie to the server on the HTTP request header of the requesting resource. McDonald's membership card can only be presented in the McDonald's store, if a branch also issued their own membership card, then into the store in addition to show McDonald's membership card, but also to show the store's membership card. viii. contents of cookies mainly include: Name, value, expiration time, path, and domain. path, domain, and scope of action:Where a domain can specify a domain such as. google.com, which is equivalent to the head office signs, such as the company, can also specify a domain under a specific machine such as www.google.com or froogle.google.com, can be used to make the ratio of fluttering.
The path is the URL path that follows the domain name, such as/or/foo, and so on, can be used to do a certain float-soft counter.
The combination of the path and the domain constitutes the scope of the cookie. Expiry time:If you do not set an expiration time, the cookie will not be in the lifetime of the browser session, as long as the browser window is closed. This cookie, which is the lifetime of the browser session, is referred to as a session cookie. Session cookies are generally not stored on the hard disk but are kept in memory, although this behavior is not regulated. If the expiration time is set, the browser will save the cookie to the hard disk, turn it off and open the browser again, and the cookies remain valid until the set expiration time expires. Browser differences:Cookies stored on the hard disk can be shared between different browser processes, such as two IE windows. For cookies stored in memory, different browsers have different ways of handling them. For IE, a window that is opened by pressing CTRL-N (or from the File menu) on an open window can be shared with the original window, while the other way of opening the IE process does not share the memory cookie of the opened window; for Mozilla Firefox0.8, all processes and tabs can share the same cookie. In general, a window opened with JavaScript's window.open will share the memory cookie with the original window. The browser's approach to cookie-only recognition of session cookies is often a major problem for Web application developers who use the sessions mechanism.

HTTP Session, cookie mechanism detailed