Java Session Management

Session Overview What is a session

Simple understanding: The user opens the browser, clicks on multiple hyperlinks, accesses multiple resources on the Web server, and then closes the browser, the entire process is called a session.

Issues that need to be addressed

As each user uses a browser-server session, some user data, such as user login tokens, is generated, and the Web application must save the data for each user during one or more sessions.

Two technologies

• Cookies
  A cookie is a client-side technology that the Web application sends each user's data in a cookie to its browser, and when the user accesses the Web app again using the browser, the cookie is brought in, so Web apps can process their own data for each user individually.

• HttpSession
  Referred to as session, server -side technology, the server at run time for each user's browser to create a unique HttpSession object . Because users have their own sessions, they can store their own data in their session domain, and when the user accesses the other Web resources of the current Web application, other Web resources are then taken out of the user's session to serve their own data.

  Cookie class

  1.javax.servlet.http.Cookie
  Properties of the Cookie:

• Name: Required, cookie name

• Value: Required, the data corresponding to the cookie name
• Comment: Optional, notes
• Path: The default value is the URI of the servlet that generated the cookie

There is a cookie whose path is:/app/servlet/
When the browser accesses the path of the new resource is:/app/1.jsp
Ask? Will the browser bring the cookie to 1.jsp? No

When the browser accesses the path of the new resource is:/app/servlet/a/b/servletdemo1
Ask? Will the browser bring this cookie to ServletDemo1?
Yes
Summary: When accessing a resource, there is no existing cookie. The resource path to access. StartsWith (the path of the cookie), if true, takes

If you set the path to a cookie /app/ , the access to /app/ any of the resources below will bring the cookie past.

• Domain: Default is the domain name of the Web site where the servlet that generated the cookie resides

  The domain that added the cookie is www.baidu.com
  Access to http://www.163.com with no belt? Not with

• MaxAge: Identifies the life cycle of a cookie. The default is one session

To save the cookie data in the client's cache, increase its time to live. Unit is seconds
If the value is 0, it is to be deleted.

• Version: optional, cookie versions

2. The server writes cookies to the client
Response.addcookie (Cookie cookie), corresponding to "Set-cookie" for setting the response header

3. Get the cookie submitted by the client
cookie[] cookies = request.getcookies (); Then iterate through the cookies array to determine the required cookie

4. How to uniquely identify a cookie (with the same name Cookie case)
With Domain+path+name, you can determine the only cookie

5. Other

• A Web site can send multiple cookies to a Web browser, and a Web browser can store cookies provided by multiple Web sites
• Browsers generally allow only 300 cookies, with a maximum of 20 cookies per site and a limit of 4KB per cookie size
• If a cookie is created and sent to the browser, the default is a session-level cookie that only exists in the browser's memory. If you need to store on disk, you need to set the MaxAge property to a number greater than 0, in seconds. 0 is to tell the browser to delete the cookie.
• Path must be consistent when deleting cookies, otherwise the deletion is unsuccessful

HttpSession class

javax.servlet.http.HttpSessionHttpSession technology is actually using cookie technology

1. Get HttpSession object:

HttpSession session = request.getSession();

Each HttpSession object has a unique ID
In order to identify each client, a special cookie is actually written to the client:

• The name of the cookie is a fixed "jsessionid"
• The value of the cookie is the ID of the HttpSession object
• The path of the cookie is the current application

The Request.getsession () method is detailed:

• If the user comes with a cookie named Jsessionid, the corresponding HttpSession object is first found in the server memory by ID.
• Not found or browser does not have, then create a new HttpSession object, that is, with a new ID, and write to the client Jsession=sessionid;
• If found, returns the HttpSession object and continues to serve the user.

Request.getsession (Boolean B): If B is true, the action is equivalent to Request.getsession (). If B is false, the effect is just fetch. Null is returned if not found.

Session.invalidate (): Destroys the HttpSession object in the server immediately.

2, httpsession itself is a domain object

void SetAttribute (String name,object obj) setting properties
void RemoveAttribute (String name) Remove property
Object getattribute (String name) gets the property

3. HttpSession Life cycle

3.1 When the client sends a request to the server for the first time, there is no sessionid in requests.
3.2 At this point the server side creates a session object and assigns a Sessionid,serssion object to be saved on the server side. At this point the state of the session is in the new state and returns True if Session.isnew () is called.
3.3 When the server segment is processed, this sessionid is passed to the customer segment as a cookie.
3.4 When the customer segment sends the request again, the SessionID is sent to the server side with the requests parameter.
3.5 The server can connect this request to the session object that was saved on the server based on the SessionID passed in, and the session is no longer in the new state, if Session.isnew () is called, False is returned.
3.6 Loop 3-5 until the session expires or is destroyed.

4. State Transitions for HttpSession objects

The default timeout for HttpSession objects is 30 minutes.
4.1 Change the default time-out for httpsession:
configuring in Web. xml

123	<session-config> <session-timeout>1</session-timeout><!--单位为1分钟--></session-config>

4.2 HttpSession Object State

Java Session Management