Session and cookie

HTTP session and cookie

• Because HTTP is a stateless protocol, when the server needs to record the user's status, it needs to use a mechanism to identify specific users. This mechanism is session. in typical scenarios, such as shopping cart, When you click the order button, the HTTP protocol is stateless, so you do not know which user to operate, therefore, the server creates a specific session for a specific user, identifies the user, and tracks the user so that the shopping cart contains several books. This session is stored on the server and has a unique identifier. There are many methods to save sessions on the server, including memory, database, and files. The session transfer should also be considered in the cluster. On a large website, a dedicated session server cluster is generally used to save user sessions. At this time, session information is stored in the memory, use some cache services such as memcached to put sessions.

2. Think about how the server identifies specific customers? At this time, cookies will be launched. Each HTTP request, the client sends the corresponding cookie information to the server. In fact, most applications use cookies to track sessions. When creating a session for the first time, the server will tell the client in the HTTP protocol that a session ID needs to be recorded in the cookie, I will know who you are every time I send this session ID to the server. Someone asked, what if the client browser disables cookies? In this case, a URL rewriting technique is used for session tracking, that is, each HTTP interaction will be followed by a parameter such as SID = XXXXX, the server identifies the user accordingly.
3. Cookies can also be used in some user-friendly scenarios. Imagine that you have logged on to a website and do not want to enter your account again next time. What should I do? This information can be written into the cookie. When you access the website, the script on the website page can read this information, which will automatically help you fill in the user name, so that you can easily. This is also the origin of the cookie name, giving users a bit of sweetness.
   So, to sum up:
   Session is a data structure stored on the server to track the user's status. The data can be stored in clusters, databases, and files;
   Cookie is a mechanism for the client to save user information. It is used to record user information and is also a way to implement session.

COOKIE: ---> common application scenarios: Automatic Login

Cookie is a way for the browser to save information. It can be understood as a file that is saved to the client. The server can obtain cookie information by responding to the browser's set-Cookie header. You can set a deadline for this file. This deadline will not disappear due to the close of the browser. In fact, everyone should be familiar with this effect. Many shopping websites do this. Even if you haven't bought anything, they will remember your preferences. Now, come back, they will give you your favorite information first, and they are really painstaking.

Cookie operation:

• Add cookie

  Cookie = new cookie ("user", "suntao"); cookie. setmaxage (7*24*60*60); // response. addcookie (cookie) valid for one week );

• Get cookie

  // Because the cookie value of the entire webpage scope is obtained, an array cookie [] cookie = request is obtained. getcookies (); For (INT I = 0; I <cookies. length; I ++) {string name = Cookies [I]. getname (); string value = Cookies [I]. getvalue ();}

Cookie retention period:-1 by default
Session Cookie: saves the cookie to the browser. When the current period is negative
Persistent COOKIE: saves the cookie to the file. When the current period is positive
Set the retention period: C. setmaxage ();

Httpsession Mechanism --> servlet session mechanism implementation

Created on the server, saved on the server, and maintained on the server. Each time a new session is created, a unique ID is assigned to the server, in addition, this ID is saved to the cookie of the client, and saved in the form of JSESSIONID.

• | -- Obtain the httpsession object through httpservletrequest. getsession, assign a value to the session through setattribute (), and invalidate the object through invalidate.

• | -- Each httpsession has a unique sessionid, as long as the browser that opens the same time obtains the session through the request, it is the same.

• | -- By default, the Web Container uses the COOKIE Mechanism to save the sessionid to the client, and sets this cookie to disabled by the browser. The cookie name is JSESSIONID.

• | -- Each request obtains the corresponding session by reading the sessionid in the cookie

• | -- Httpsession data is stored on the server, so do not save data that consumes a lot of resources. If necessary, you can remove the attribute or set it to invalid.

• | -- Httpsession can be set with setmaxinactiveinterval () or in Web. xml.

  <Session-config> <! -- Unit: minute --> <session-Timeout> 30 </session-Timeout> </session-config>

• | -- Httpsession saves the sessionid using the cookie by default. After the cookie is disabled on the client, it can be rewritten using the URL.

  • It can be implemented through response. encodeurl (URL ).

  • The end of the encodeurl API is that when the browser supports cookies, the URL is not processed. When the browser does not support cookies, the URL will be rewritten to splice the sessionid to the access address.

To learn about internal operations, click the following link: http session and cookie principles

Qingfeng _ Xiaotian
Link: https://www.jianshu.com/p/25802021be63
Source: Simplified book
The copyright of the simplified book belongs to the author. For any form of reproduction, please contact the author for authorization and indicate the source.

Session and cookie