Session implementation principle

Session implementation principle Keywords: JSP, session

HTTP (http://www.w3.org/Protocols/) is a one-time, one-way protocol.
The server cannot actively connect to the client. It can only passively wait and reply to client requests. The client connects to the server and sends an HTTP request. The server processes the request and returns an HTTP Response to the client. This HTTP request-response cycle ends.
We can see that the HTTP protocol itself does not support the server to save the client status information. Therefore, the concept of session is introduced in Web server to save the status information of the client.
Here we use an image metaphor to explain how the session works. Assume that the Web server is the storage space of a mall.
The request is a customer who first came to the storage room. The Administrator stored the customer's items in a cabinet (this cabinet is equivalent to a session) and handed over a number card to the customer.
Customer, as the packet obtaining credential (This number card is the session ID ). When the customer (HTTP request) comes next time, the session
ID) to the Web server administrator. The Administrator finds the corresponding Cabinet (Session) based on the number card (session ID) and
Request. The web server can retrieve, replace, and add items in the Cabinet (session ).
The Cabinet (Session) corresponding to the number card and number card of the request is invalid. The customer (HTTP request) is very forgetful. The Administrator
Response) to remind the customer to remember their own number card (session ID ). In this way, the customer (HTTP
Request) the next time you come back with a number card.
We can see that the session ID is actually transmitted between the client and the server through HTTP request and HTTP response.

We can see that the session ID must be included in the HTTP request. For specific formats of HTTP requests, see http protocol (http://www.w3.org/Protocols ). Here is a brief introduction.
In Java Web Server (Servlet/JSP server), session ID is represented by JSESSIONID (see servlet specifications ).
HTTP request consists of three parts:
(1) Request Line
This line consists of HTTP method (such as get or post), URL, and HTTP Version Number.
For example, get http://www.w3.org/pub/WWW/TheProject.html HTTP/1.1
Get http://www.google.com/search? Q = Tomcat HTTP/1.1
Post http://www.google.com/search HTTP/1.1
Get http://www.somsite.com/menu.do;jsessionid=1001 HTTP/1.1

(2) request headers
This part defines some important header information, such as the browser type, language, and type. The request headers can also contain cookie definitions. For example:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Accept-language: En-US
COOKIE: JSESSIONID = 1001

(3) Message Body
If the HTTP method is get, the message body is empty.
If the HTTP method is post, the HTTP request is the result of a submit HTML form,
The message body is the INPUT attribute defined in HTML form. For example,
User = guest
Password = guest
JSESSIONID = 1001
The idea is to change the method attribute of the HTML form element to get. The message body is empty. All input attributes are added after the URL. You will see these attributes in the URL address bar of the browser, similar
Http://www.fastfish/login.do? User = guest & Password = guest & JSESSIONID = 1001.

Theoretically, these three parts (request URL, Cookie header, message body) can be used to store session IDs. Because the message body method must have an HTML form containing the session ID, this method is not common.
There are two methods to implement the session:
(1) rewrite the URL.
When the Web server returns response, it checks all URLs on the page, including all connections, and the Action attributes of the HTML form, and adds "; JSESSIONID = xxx" after these URLs ".
Next time, the user accesses the URL on this page. JSESSIONID is passed back to the web server.
(2) Cookie.
If the client supports cookies, when the web server returns response, it adds the "Set-COOKIE: JSESSIONID = XXXX" header attribute to the header of response, store the JSESSIONID in the cookie and upload it to the client.
The client stores the cookie in a local file. when accessing the Web server for the next time, the client places the cookie information in the "cookie" header attribute of the HTTP request, in this way, the JSESSIONID is returned to the Web server along with the HTTP request.

Let's take a look at how the source code of Tomcat 5 supports JSESSIONID.
The toencoded () method of the org. Apache. Coyote. tomcat5.coyoteresponse class supports URL rewriting.
String toencoded (string URL, string sessionid ){
...
Stringbuffer sb = new stringbuffer (PATH );
If (sb. Length ()> 0) {// JSESSIONID can't be first.
SB. append ("; JSESSIONID = ");
SB. append (sessionid );
}
SB. append (Anchor );
SB. append (query );
Return (sb. tostring ());
}
Let's take a look at the two methods of org. Apache. Coyote. tomcat5.coyoterequest: configuresessioncookie ()
Dogetsession () supports JSESSIONID with cookies.
/**
* Configures the given JSESSIONID cookie.
*
* @ Param cookie the JSESSIONID cookie to be configured
*/
Protected void configuresessioncookie (cookie ){
...
}

Httpsession dogetsession (Boolean create ){
...
// Creating a new session cookie based on that session
If (session! = NULL) & (getcontext ()! = NULL)
& Getcontext (). getcookies ()){
Cookie = new cookie (globals. session_cookie_name,
Session. GETID ());
Configuresessioncookie (cookie );
(Httpservletresponse) Response). addcookie (cookie );
}
...
}
A typical application of session is to store the user's login information, such as the user name, password, permission role, and other information, applications (such as e-mail services, online banking, and other systems) perform authentication and permission Verification Based on the information

1: Valid range of the session object in the browser:
IE:
1> the session object is valid only in the window where the session object is created.
2>. The new link window in the session object creation window is also valid.
The session will only be in the memory and will die as the IE window is closed.
That is to say, using a single seesion will not produce the effect of automatic login.
2: cookies are generated and coexist on the client after the Server gives the client ie a command,
It stores user information on the client's hard disk and deletes the cookie record.
Or before the expiration date, you can achieve automatic login.
3: The session and cookie are different, but they are related.
After IE is enabled, a command is sent to the server requesting the sessionid
And page content, the server will return the page content and a unused
Sessionid is used by IE. At that time, ie stores the returned sessionid. When ie accesses any JSP program on this site
Sessionid to confirm the identity of the client. (If session death sessionid is canceled without Cookie, You need to log on again)
4: You can use the client to disable or disable cookies to verify your statement.