Java session management

Java session management
Session overview what is a session

A simple understanding: the user opens the browser, clicks on multiple hyperlinks, accesses multiple resources on the Web server, and closes the browser. The whole process is called a session.

Problems to be Solved

When a user uses a browser to talk to the server, some user data is generated, such as the user login tag, the WEB application must save the data for each user during one or more sessions.

Two technologies

• Cookie
  Cookie isClientTechnology: WEB applications send each user's data to their respective browsers in the form of cookies. When users access the WEB application again using the browser, these cookies will be carried. In this way, WEB applications can process data for each user separately.

• HttpSession
  Session for short, yesServerTechnology, the server createsExclusive HttpSession object. Because you have exclusive sessions, you can store your data in their respective session domains. When you access other web Resources of the current web application, other web resources then retrieve data from their respective sessions to serve them.

  Cookie type

  1,javax.servlet.http.Cookie
  Cookie attributes:

• Name: required. Cookie name

• Value: required. The data corresponding to the Cookie name.
• Comment: optional, remarks
• Path: The default value is the URI of the Servlet that generates the Cookie.

There is a cookie whose path is/app/servlet/
When the path of the new resource accessed by the browser is/app/1.jsp
Question? Will the browser bring the cookie to 1.jsp? No
When the path of the new resource accessed by the browser is/app/servlet/a/B/ServletDemo1
Question? Does the browser send this cookie to ServletDemo1?
Yes
Summary: when accessing a resource, the existing cookie is not included. Path of the accessed resource. startsWith (cookie path). If it is true

If you set the path of a Cookie/app/, Indicating access/app/Any of the following resources will carry cookies.

• Domain: the domain Name of the website where the Servlet that generates the Cookie is located by default.

  The domain added to the cookie is www.baidu.com.
  Access http://www.163.com? Without

• MaxAge: identifies the lifecycle of a cookie. The default is a session.

To save Cookie data in the client cache, increase the survival time. Unit: seconds
If the value is 0, it is to be deleted.

• Version: (optional) version of the Cookie.

2. The server writes cookies to the client.
Response. addCookie (Cookie cookie); corresponding to the "Set-Cookie" Set in the response Header"

3. Obtain the Cookie submitted by the client.
Cookie [] cookies = request. getCookies (); then traverse the cookies array to determine the required cookies

4. How to uniquely determine a Cookie (with a Cookie of the same name)
You can use domain + path + name to determine the unique Cookie.

5. Others

• A web site can send multiple cookies to a WEB browser. a web browser can store the cookies provided by multiple WEB sites.
• Generally, a browser can only store 300 cookies. Each site can store up to 20 cookies. The size of each Cookie is limited to 4 kb.
• If a Cookie is created and sent to the browser, a session-level cookie exists only in the browser memory by default. To store data on a disk, set the maxAge attribute to a value greater than 0, in seconds. 0 indicates that the browser deletes the cookie.
• When you delete a cookie, the path must be consistent; otherwise, the deletion will fail.

HttpSession

javax.servlet.http.HttpSessionHttpSession technology uses Cookie technology.

1. Get the HttpSession object:

HttpSession session = request.getSession();

Each HttpSession object has a unique ID.
To identify each client, a special Cookie is actually written to the client:

• The Cookie name is a fixed "JSESSIONID"
• The Cookie value is the id of the HttpSession object.
• The Cookie path is the current application path.

Detailed description of request. getSession () method:

• If the user comes with a Cookie named JSESSIONID, first find the corresponding HttpSession object in the server memory according to the ID,
• If a new HttpSession object is not found or is not included in the browser, a new ID is created, and the JSESSION = sessionid is written to the client at the same time;
• If the HttpSession object is found, return the HttpSession object and continue to serve the user.

Request. getSession (boolean B): If B is true, the function is equivalent to request. getSession (). If B is false, it is only used for obtaining. If no value is found, null is returned.

Session. invalidate (): immediately destroys the HttpSession object on the server.

2. HttpSession itself is a domain object

Void setAttribute (String name, Object obj)
Void removeAttribute (String name) Remove attributes
Object getAttribute (String name) Get attributes

3. HttpSession Lifecycle

3.1 When the client sends a request to the server for the first time, there is no sessionID in the request.
3.2 At this time, the server creates a session object and assigns a sessionID. The serssion object is saved on the server. At this time, the session is in the new state. If session. isNew () is called, true is returned.
3.3 After the server segment is processed, send the sessionID to the client segment as a Cookie.
3.4 when the customer segment sends the request again, the sessionID will be sent together with the request parameter and transmitted to the server.
3.5 The server can associate the request with the session object stored on the server based on the passed sessionID. The session is no longer in the new state. If the session is called. isNew (), false is returned.
3.6 cycles 3-5 until the session times out or is destroyed.

4. Status transition of the HttpSession object

The default timeout value of an HttpSession object is 30 minutes.
4.1 change the default timeout value of HttpSession:
Configure in web. xml

123	<Session-config> <session-timeout> 1 </session-timeout> <! -- Unit: 1 minute --> </session-config>

4.2 HttpSession object status