Session mechanism (JSP-Servlet Technology)

Although
Although the session mechanism has been adopted in Web applications for a long time, many people still do not know the nature of the session mechanism, and even cannot correctly apply this technology. This article details
The session mechanism is discussed in detail and answers frequently asked questions about the application of the session mechanism in Java Web applications.

Directory:
I. Term session
Ii. http protocol and status maintenance
3. Understanding COOKIE Mechanism
4. Understanding the session mechanism
5. Understand javax. servlet. http. httpsession
Vi. httpsession FAQs
7. Cross-Application Session sharing
VIII. Summary
References

I. Term session
In my experience, the word session is abused only after transaction. What's more interesting is that transaction and session have the same meaning in some contexts.

Session, which is often translated as a session in Chinese. Its original meaning refers to a series of actions/messages starting and ending. For example, a series of processes from picking up the phone and dialing to hanging up the phone can be called
One
Session. Sometimes we can see that "during a browser session,...", the session here uses its original meaning, which refers to the period from opening a browser window to closing it.
①. The most confusing is the phrase "a user (client) is in a session", which may refer to a series of actions of the user (generally a series of actions related to a specific purpose, for example, from login to purchase
The online shopping process such as commodity checkout and logout is sometimes called a transaction.
Do not deduce it by context.

However, when a session is associated with a network protocol, it often implies two meanings: "connection-oriented" and "/" persistence,
"Connection orientation" refers to the establishment of a communication channel before the communication parties establish a communication channel, such as a phone call, until the other party receives a telephone communication. In contrast, it refers to writing a letter, when you send the email
It is not possible to confirm whether the recipient's address is correct, and the communication channel may not be established, but for the sender, the communication has started. The "hold State" means that the communication party can associate a series of messages
Messages can be mutually dependent. For example, a waiter can recognize an old customer who visits the store again and remember that the customer owed a dollar to the store. In this example
Session "or" one POP3 session "③.

In the era of vigorous development of web servers, the semantics of sessions in the context of web development has been expanded, 5vd | [xhfqw & O Yu r it
It refers to a kind of solution that is used to maintain the status between the client and the server. Sometimes session refers to the storage structure of this solution, such as "Saving XXX in session
. Various languages used for web development provide support for this solution to a certain extent. Therefore, in a specific language context, session is also used to refer to the solution of this language.
For example, javax. servlet. http. httpsession provided in Java is often referred to as Session 6.

As this confusion cannot be changed, the use of session in this article will also have different meanings according to the context.
In this article, we use the Chinese "browser session period" to express the meaning ①, the "session mechanism" to express the meaning ④, and the "session" to express the meaning ⑤, use the specific "httpsession" to express the meaning 6

Ii. http protocol and status maintenance
HTTP
The Protocol itself is stateless, which is consistent with the original purpose of the HTTP protocol. The client simply needs to request the server to download some files, there is no need to record each other on both the client and server.
Every request is independent, just like the relationship between a customer and a vending machine or a common (non-member) hypermarket.

But smart (or greedy ?) People soon discovered that providing on-Demand dynamic information will make the web more useful, just like adding the on-demand function to cable TV. This demand forces
HTML gradually adds client behaviors such as forms, scripts, and Dom. On the other hand, the CGI specification appears on the server side to respond to the dynamic requests of the client, and the HTTP protocol as the transport carrier is also added
File Upload,
Cookies. Among them, cookies are used to solve the stateless defects of HTTP. As for the later session mechanism
A solution that maintains a status with the server.

Let's use several examples to describe the difference and connection between the cookie and session mechanism. I often went to a coffee shop and offered a free discount for five coffee cups. m soft + B in wwa soft ai1ncuvyo had little chance of consuming five coffee cups at a time, in this case, you need to record the consumption quantity of a customer in some way. Imagine the following solutions:
1. The shop clerk is very good. He can remember the consumption quantity of each customer. As long as the customer enters the coffee shop, the clerk will know how to deal with it. This method is supported by the Protocol itself.
2. Send a card to the customer, which records the consumption quantity and generally has a validity period. For each consumption, if the customer shows this card, the current consumption will be associated with the previous or later consumption. This approach is to maintain the status on the client.
3. Send a membership card to the customer. No information except the card number is recorded. If the customer shows the card at each purchase, then the clerk finds the log corresponding to this card number in the store's record to add some consumption information. This approach is to maintain the status on the server side.

Because the HTTP protocol is stateless and does not need to be stateful for various reasons, the next two solutions have become a realistic choice. Specifically, the cookie mechanism is implemented on the client
The session mechanism adopts the server-side persistence scheme. At the same time, we can also see that because the server-side Persistence Solution also needs to save an identifier on the client,
Therefore, the session mechanism may need to use the COOKIE Mechanism to save the identity, but in fact it has other options.

3. Understanding COOKIE Mechanism
The basic principle of the cookie mechanism is as simple as the above example, but there are several problems to solve: how to distribute "membership cards", the content of "membership cards", and how customers use "membership cards ".

The orthodox cookie distribution is implemented by extending the HTTP protocol. The server prompts the browser to generate the corresponding cookie by adding a special line in the HTTP response header. However, pure client scripts such as JavaScript or VBScript can also generate cookies.

Cookie
The browser automatically sends messages to the server in the background according to certain principles. The browser checks all stored cookies. If the declared range of a cookie is greater than or equal
The cookie is attached to the HTTP request header of the requested resource and sent to the server. This means that McDonald's membership card can only be presented in McDonald's store.
Your membership card. When you enter the store, you must present the McDonald's membership card and the membership card of the store.

Cookie content mainly includes: name, value, expiration time, path and domain.
The domain can specify a domain such as .google.com, which is equivalent to a main store sign. For example, Procter & Gamble can also specify a specific machine in a domain such as www.google.com or froogle.google.com, you can use rejoice for comparison.
The path is the URL path following the domain name, for example, // or/Foo. You can use a certain rejoice counter to compare it.
The combination of paths and domains constitutes the scope of cookie.
If no expiration time is set, it indicates that the life cycle of the cookie is the browser session period. When the browser window is closed, the cookie disappears. This life cycle is the browser session period
A cookie is called a session cookie. Session cookies are generally stored in the memory instead of on the hard disk. Of course, this behavior is not standardized. If the expiration time is set, the browser
The cookie is saved to the hard disk, closed, and then opened again in the browser. These cookies are still valid until the specified expiration time is exceeded.

Cookie stored on hard disk
It can be shared between different browser processes, such as two IE Windows. For Cookies stored in the memory, different browsers have different processing methods. For IE, in an open window, press
The window opened by Ctrl-N (or from the File menu) can be shared with the original window, while the new ie process in other ways cannot share the memory cookies of the opened window;
Mozilla
Firefox0.8, all processes and tabs can share the same cookie. Generally, the window opened with window. Open in Javascript will be different from the original window.
Shared Memory cookie. The browser's method of processing session cookies that only recognize cookies and do not recognize people is often caused by the web application developers who adopt the session mechanism.
Big headache.

The following is an example of how goolge sets the cookie response header.
HTTP/1.1 302 found
Location: http://www.google.com/intl/zh-CN/
Set-COOKIE:
Pref = id = 0565f77e132de138: nw = 1: TM = 1098082649: LM = 1098082649: S = kaeacfpo49ria_d8;
Expires = Sun, 17-Jan-2038 19:14:07 GMT; Path =/; domain = .google.com
Content-Type: text/html

This is part of the HTTP Communication record captured by the HTTP sniffer software httplook.

The browser automatically sends a cookie when accessing goolge resources again.

Using Firefox, you can easily observe the existing cookie values.
Using httplook with Firefox can easily understand how cookies work.

Ie can also be set to ask before accepting cookies

This is a dialog box asking to accept cookies.

4. Understanding the session mechanism
The session mechanism is a server-side mechanism. The server uses a structure similar to a hash (or a hash) to save information.

When the program needs to create a session for a client request, the server first checks whether the client request contains a session ID
Session ID. If a session ID is included, it indicates that a session has been created for this client before, and the server will
The session is used for retrieval (if the session cannot be retrieved, a new one may be created). If the client request does not contain the session
The client creates a session and generates a session ID associated with the session,

M ~ IJ soft education 7 @

The value of the session ID should be a string that is neither duplicated nor easily found to be counterfeited. The session ID will be returned to the client for saving in this response.

Save this session
In this way, the browser can automatically display the ID to the server according to the Rules during the interaction. Generally, the cookie name is similar
Seeesionid, and. For example, for the cookie generated by Weblogic for Web applications, JSESSIONID =
Byok3vjfd75apnrf7c2hmdnv6qzcebzwowibyenlerjq99zwpbng! -145788764. Its name is
JSESSIONID.

Because cookies can be artificially disabled, there must be other mechanisms to enable session
ID is passed back to the server. A frequently-used technology called URL rewriting is to rewrite the session
The ID is directly appended to the URL path, and there are two ways to attach it. One is as an additional URL path information, in the form of http ://..... /xxx; JSESSIONID = byok3vjfd75apnrf7c2hmdnv6qzcebzwowibyenlerjq99zwpbng! -145788764
The other is appended to the URL as a query string, in the form of http: //.../XXX? JSESSIONID = byok3vjfd75apnrf7c2hmdnv6qzcebzwowibyenlerjq99zwpbng! -145788764
There is no difference between the two methods for users. The Fv of 7: Network Yu 'xr is only handled differently by the server during parsing, the first method also helps to distinguish the session ID information from the normal program parameters.
To maintain the status throughout the interaction process, the session ID must be included after the path that each client may request.

Another technique is form hidden fields. The server automatically modifies the form and adds a hidden field so that the session ID can be passed back to the server when the form is submitted. For example, the following form
<Form name = "testform" Action = "/XXX">
<Input type = "text">
</Form>
It will be rewritten
<Form name = "testform" Action = "/XXX">
<Input type = "hidden" name = "JSESSIONID" value = "byok3vjfd75apnrf7c2hmdnv6qzcebzwowibyenlerjq99zwpbng! -145788764 ">
<Input type = "text">
</Form>
This technology is rarely used now. I have used iplanet6, the predecessor of the SunONE application server.
In fact, this technology can be simply replaced by rewriting the URL of the action application.

When talking about the session mechanism, we often hear the misunderstanding that "the session disappears as long as the browser is closed ". In fact, you can imagine an example of membership card, unless the customer takes the initiative to store
Propose a sales card, otherwise the store will never easily Delete the customer's information. The same applies to sessions. Unless the program notifies the server to delete a session, the server will keep the session.
Generally, logs are performed by users.
When off, send a command to delete the session. However, the browser will never notify the server that it will close before it closes, so the server will not have the chance to know that the browser is closed.
In this case, most session mechanisms use session cookies to save session IDs. After the browser is closed, this session
The ID disappears, and the original session cannot be found when the server is connected again. If the cookie set by the server is saved to the hard disk, or you can rewrite
In the HTTP request header, the original session ID is sent to the server, and the original session can still be found when the browser is opened again.

It is precisely because closing the browser will not cause the session to be deleted, forcing the server to set an expiration time for the seesion. When the last time the session was used by the client exceeds this expiration time, the server considers that the client has stopped the activity before deleting the session to save storage space.

5. Understand javax. servlet. http. httpsession
Httpsession is the Java platform's Implementation specification for the session mechanism, because it is only an interface, specific to the provider of each Web application server, in addition to the support for the specification, there are still some minor differences that are not specified in the specification. Here we use the Weblogic server8.1 of BEA as an example.

First, WebLogic
Server provides a series of parameters to control the implementation of its httpsession, including using the cookie switch option, using the URL rewrite switch option, session holding
For example, set the cookie name, path, domain, and cookie survival time.

Generally, sessions are stored in the memory. When the server process is stopped or restarted, the sessions in the memory are also cleared. If session persistence is set
Feature, the server will save the session to the hard disk. When the server process restarts or the information can be used again, WebLogic
The persistence modes supported by server include file, database, and client cookie storage and replication.

Replication is not stored persistently, because the session is actually stored in the memory, but the same information is copied to the server processes in each cluster, in this way, even if a server process stops working, the session can still be obtained from other processes.

The cookie survival time setting affects whether the cookie generated by the browser is a session cookie. Session cookies are used by default. If you are interested, you can use it to test the misunderstanding we mentioned in section 4.

The Cookie Path is a very important option for Web applications. WebLogic Server's default processing method for this option makes it significantly different from other servers. We will discuss this topic later.

Session settings reference [5] http://e-docs.bea.com/wls/docs70/webapp/weblogic_xml.html#1036869

Vi. httpsession FAQs
(In this section, the session meaning is a mixture of 5 and 6)

1. When the session is created
A common misunderstanding is that the session is created when a client accesses it. However, the fact is that the session is called by a server program.
A statement such as httpservletrequest. getsession (true) is created. Note that if JSP is not displayed, <%
@ Page session = "false" %> when the session is closed, the JSP file is automatically added to the servlet during compilation.
Httpsession session = httpservletrequest. getsession (true); this is also implicit in JSP
The origin of the session object.

Because the session consumes memory resources, if you do not plan to use the session, you should disable it in all JSPs.

2. When the session is deleted
Based on the previous discussion, the session is deleted under the following circumstances. the program calls httpsession. invalidate (); or B. the interval between the session ID sent by the client last time exceeds the Session Timeout setting; or c. server process stopped (non-persistent session)

3. How to delete a session when the browser is closed
Strictly speaking, this cannot be done. One way to do this is to use the JavaScript code window. oncolose on all client pages to monitor the closing action of the browser, and then send a request to the server to delete the session. However, there is no way to break down the browser or forcibly kill the process.

4. Why is there an httpsessionlistener?
You can create listener to monitor the creation and destruction events of sessions, so that you can do some relevant work when such events occur. Note that the session creation and
The destroy action triggers the listener instead of the opposite. Similar listener related to httpsession also has
Httpsessionbindinglistener, httpsessionactivationlistener and
Httpsessionattributelistener.

5. Must the objects stored in the session be serializable?
Not required. Objects are required to be serializable only for the session to be copied in the cluster or to be permanently saved or, if necessary, the server can temporarily swap the session out of memory.
If you place an unserializable object in the WebLogic Server session, you will receive a warning on the console. If one of the iPlanet versions I have used
The session contains non-serializable objects. An exception occurs when the session is destroyed, which is strange.

6. How can I properly handle the possibility of disabling cookies on the client?
Use URL rewriting for all URLs, including hyperlinks, form actions, and redirection URLs. For more information, see [6].
Http://e-docs.bea.com/wls/docs70/webapp/sessions.html#100770

7. Opening two browser windows to access the application will use the same session or different sessions
For more information, see section 3 on cookie. For session, the session only recognizes IDs and does not recognize people. Therefore, different browsers, different window opening methods and different cookie storage methods will affect the answer to this question.

8. How to Prevent session confusion caused by opening two browser windows?
This problem is similar to preventing forms from being submitted multiple times. It can be solved by setting the token of the client. That is, each time the server generates a different ID and returns it to the client, it is stored in the session,
The client must also return this ID to the server when submitting the form. The program first checks whether the returned ID is consistent with the value saved in the session. Otherwise, this operation has been submitted.
See the section on presentation layer in J2EE Core mode. Note that for Javascript
Window. open window, usually do not set this ID, or use a separate ID, in case the main window cannot be operated, it is recommended that you do not modify the window opened by window. Open
Operation.

9. Why do I need to call session. setvalue again after changing the session value in Weblogic server?
The main purpose of this operation is to prompt that the WebLogic Server session value has changed in the cluster environment. You need to copy the new session value to other server processes.

10. Why does the session disappear?
In addition to excluding the normal failure of the session, the server itself may be very unlikely, although the author also encountered a problem in the Solaris version of iplanet6sp1 with a number of patches
When I got there, the possibility of browser plug-ins is second, and the author also encountered problems caused by 3721 plug-ins. Theoretically, the firewall or proxy server may also have problems in cookie processing.
Most of the reasons for this problem are program errors. The most common reason is to access another application in one application. We will discuss this issue in the next section.

7. Cross-Application Session sharing

It is often the case that a large project is divided into several small projects for development. In order to be able to do not interfere with each other, each small project is required to be developed as a separate web application, but at last a few
Small projects need to share some information, or want to use session to implement SSO (Single Sign
On), stores Login User information in a session. The most natural requirement is that applications can access each other's sessions.

However, according to the servlet specification, the scope of the session should be limited to the current application. Different applications cannot access each other's sessions. Various Applications
The actual effect of the server is the same, but the implementation details may vary. Therefore, the methods for cross-application session sharing are also different.

First, let's take a look at how Tomcat isolates sessions between Web applications. From the cookie path set by Tomcat, it sets different cookie paths for different applications, v] BD tutorial B % soft n7l. The session IDs used by different applications such as Jr Z are different, therefore, even if you access different applications in the same browser window, the session IDs sent to the server may be different.

Based on this feature, we can infer that the memory structure of the session in Tomcat is roughly as follows.

I used iPlanet in the past in the same way. It is estimated that there will not be much difference between SunONE and iPlanet. For servers in this way, the solution is simple,
It is not difficult to implement it. Either allow all applications to share a session ID or allow the application to obtain the session ID of other applications.

IPlanet has a very simple way to share a session ID, that is, to set the Cookie Path of each application to/(actually it should be/nasapp, for an application, it serves as the root ).
<Session-Info>
<Path>/nasapp </path>
</Session-Info>

It should be noted that the shared session operation should follow some programming conventions. For example, adding the prefix of the application before the session attribute name makes
Setattribute ("name", "Neo") to setattribute ("app1.name ",
"Neo") to prevent namespace conflicts and overwrite each other.

In tomcat, there is no such convenient choice. In tomcat version 3, we can also share sessions. For Tomcat Versions later than version 4, the author still
No simple method is found. You can only use the power of a third party, such as using files, databases, JMS, or client cookies, URL parameters, or hidden fields.

Let's take a look at how WebLogic Server Processes sessions.

From the screenshot, we can see that the cookie path set by Weblogic server for all applications is/,} U (in CX, the L3 network in S mentions 4niny
Does it mean
In the server, the default session can be shared? However, a small experiment proves that even if different applications use the same session, each application can only access
The attributes you set. This indicates that the memory structure of the session in WebLogic Server may be as follows:

For such a structure
The session mechanism should be impossible to solve the session sharing problem. In addition to the power of third parties, such as using files, databases, JMS, or clients
Cookie, URL parameters, or hidden fields. Another convenient method is to put the session of an application in servletcontext.
The other application can get the reference of the previous application from servletcontext. The sample code is as follows,

Application
Context. setattribute ("Appa", session );

Application B
Contexta = context. getcontext ("/Appa ");
Httpsession sessiona = (httpsession) contexta. getattribute ("Appa ");

It is worth noting that this kind of usage cannot be transplanted, because according to the javadoc of servletcontext, the application server can be in security for context. getcontext ("/Appa"); returns a null value. The preceding method is used in WebLogic Server 8.1.

WebLogic
Why does the server set the Cookie Path of all applications? It was originally for SSO. All applications that share this session can share the authentication information. I
This can be proved by a simple experiment. Modify the weblogic. XML descriptor of the application that is logged on first, and change the Cookie Path to/Appa.
If you access another application, you will be requested to log on again. Even if you access the application whose Cookie Path is/And then access the modified path, you will not be prompted to log on.
Information is also lost. Note that the form authentication method should be used in this experiment, because browsers and web servers have other processing methods for the basic authentication method, and the second request authentication does not pass
Session. For details, see [7] secion 14.8 authorization. You can modify the example program to perform these experiments.

VIII. Summary
The session mechanism is not complex, but its implementation and configuration flexibility make the specific situation complex and changeable. This also requires us not to regard the experience of a single browser or server as a general experience, but to always analyze the specific situation.
Abstract: Although the session mechanism has been adopted in Web applications for a long time, many people still do not know the nature of the session mechanism, and even cannot correctly apply this technology.
This article will discuss in detail the working mechanism of the session and answer frequently asked questions about the application of the session mechanism in Java Web applications.