[servlet& JSP] HttpSession Session Management

We are able to save the information that must be shared during the session in HttpSession to make it a Property. Assume that the user shuts down the browser to accept the cookie Function. HttpSession can also use URL rewriting to continue its session management Functionality.

Use of HttpSession

In the Servlet/jsp. Assuming session management, You can use the HttpServletRequest getsession () method to get the HttpSession object. Statements such as the Following:

HttpSession session = request.getSession();

The GetSession () method has two version numbers, and a version number can pass in a Boolean value, which defaults to True. Represents a HttpSession instance if it does not already exist. , a new object is created Directly. If passed to false, indicates that the HttpSession instance does not already exist. The null is returned DIRECTLY.

The most frequently used method on HttpSession is setattribute () and getattribute (), which enable you to set and get properties in the Object. The default is before you close the Browser. The httpsession obtained are all examples of the same form. Suppose you want to invalidate the current httpsession directly during this Session. You can run the HttpSession invalidate () method. A time to use is to implement the logoff Mechanism. A scale is as follows:

Login.java:

@WebServlet("/login.do") public  class Login extends httpservlet{    protected void ProcessRequest(httpservletrequest request, HttpServletResponse Response)throwsservletexception, ioexception {String username = request.getparameter ("username"); String Password = request.getparameter ("password");if("abc". equals (username) &&"123". equals (PASSWORD)) {request.getsession (). setAttribute ("login", username); Request.getrequestdispatcher ("user.jsp"). forward (request, response); }Else{response.sendredirect ("login.html"); }    }protected void Doget(httpservletrequest request, HttpServletResponse Response)throwsservletexception, IOException {processrequest (request, response); }protected void DoPost(httpservletrequest request, HttpServletResponse Response)throwsservletexception, IOException {processrequest (request, response); }}

When you log in, assuming that username and password are correct, you get httpsession and set a login property that represents the User's completion of the logon Action.

For the other servlet/jsp. Assuming that the login property can be obtained from httpsession, it is essential to be able to determine whether it is a logged-on user, which is used to identify the User's login Properties. This is often referred to as a login character (login Token). In the example above, a successful login is forwarded to the user Interface.

User.jsp:

<%@ page language="java" contenttype="text/html; Charset=iso-8859-1 "pageencoding="iso-8859-1"%><% @taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %><! DOCTYPE HTML public "-//w3c//dtd HTML 4.01 transitional//en" "http://www.w3.org/TR/html4/loose.dtd" ><html><head><meta http-equiv="content-type" Content="text/html; Charset=iso-8859-1 "><title>Insert Title here</title></head><body>    <c:choose>        <c:when Test="${sessionscope.login = = null}">            <jsp:include page="login.html" />        </c:when>        <c:otherwise>            <H1>welcome! ${sessionscope.login}!</H1>            <a href="logout.do">Sign Out</a>        </c:otherwise>    </c:choose></body></html>

Login.html

<body>    <form Action="login.do" Method="post">Username<input type="text" name="username" /><br />Password<input type="password" name="password" /><br />        <input type="submit" value=" sign in"/>    </form></body>

Logout.java:

@WebServlet("/logout.do")publicclass Logout extends HttpServlet{    protectedvoiddoGet(HttpServletRequest request, HttpServletResponse response)        throws ServletException, IOException {        request.getSession().invalidate();        response.sendRedirect("login.html");    }}

After you specify httpsession invalidate (), the container destroys and reclaims the HttpSession Object. Assume that you run HttpServletRequest getsession () again. The HttpSession is another new object.

HttpSession Session Management Principles

When you run HttpServletRequest getsession (), the Web container establishes the HttpSession Object. Each httpsession will have a special ID. Called the session ID. The GetID () that can run HttpSession can get the session ID.

This session ID is used by default to store it in the browser using a Cookie.

In tomcat, the name of the cookie is jsessionid, and the number is the session ID obtained by GetID ().

Each httpsession has a special session id, when the browser requests the application, the session ID stored in the cookie is sent to the application, and the Web container takes out the corresponding HttpSession object based on the session ID. This makes it possible to obtain session data for each browser.

So when using HttpSession for session management, the data set to the attribute is saved on the server side, and the session ID is stored in the browser by default using a Cookie. The cookie that stores the session ID of the Web container is set to off and the browser is invalidated, and the new HttpSession object is obtained through GetSession () when the browser request application is opened Again.

Because HttpSession takes up memory space, it is httpsession to try not to save large objects that consume resources as much as possible, or to remove them if necessary, or when httpsession is not required. Run invalidate () to invalidate Httpsession.

When you close the browser, the cookie on the browser is immediately invalidated, not the Httpsession.

Able to run Httpsession's setmaxinactiveinterval () method, Set the browser in the case of how long without requesting the application, HttpSession will voluntarily expire, set the unit is "seconds." It is also possible to set the default expiration time for httpsession in Web. xml, but be aware that the time unit set here is "minutes". Like what:

...>    <session-config>        <session-timeout>30</session-timeout>    </session-config></web-app>

The cookie that holds the session ID is set to expire when the browser is Closed.

If you want to save the information after you close the browser, you must do so by using your own cookie. such as the completion of their own active login Mechanism.

HttpSession with URL rewriting

Assume that the httpsession is still intended to be used for session management if the user disables the Cookie. Then you can match the way URL Rewrite. Responds to a hyperlink to the Browser. Append the session ID after the hyperlink url. When the user clicks the Hyperlink. The session ID is sent to the Web application as a get Request.

Suppose you want to use URL rewriting to send the session ID. You can use Httpservletrequest's Encodeurl () to assist in generating the desired URL Rewrite.

When the container tries to get the httpsession instance, the ability to get the Cookie,encodeurl () with the session ID from the HTTP request will be set to its URL intact output, if the session cannot be obtained from the HTTP request The cookie of the ID (usually the case where the browser disables the cookie), Encodeurl () will voluntarily generate a URL rewrite with the session ID.

Assuming that there is a run Encdeurl (), the container does not know whether the browser disables cookies when the browser first requests the site, so the Container's practice is that the cookie (sending the Set-cookie header) is done with the URL rewrite, so if the servlet has the following statement, The first time a request is requested, regardless of whether the browser disables Cookies. will display the URL of the session ID that was Compiled.

request.getSession();out.println(response.encodeURL("index.jsp"));

When requested again, if the browser does not disable cookies, the container can obtain the session ID from the cookie (from the cookie header). At this point Encodeurl () will only output index.jsp. Assuming the browser disables cookies, Encodeurl () will continue on the URL creates Macintosh session ID

HttpServletResponse also has a method Encoderedirecturl () method. The session ID can be on the URL creates Macintosh when it is going to be redirected to the Browser.

[servlet& JSP] HttpSession Session Management