Session-related knowledge 02

The following is an example of how goolge sets the cookie response header! ? (_; B (h; b5 k) s3 @
HTTP/1.1 302 Found
5 d O "r. r1 y # @ Location: http://www.google.com/intl/zh-CN/
'N' W-_ $ c "e9 G0 V3 XSet-Cookie: PREF = ID = 0565f77e132de138: NW = 1: TM = 1098082649: LM = 1098082649: S = KaeaCFPo49RiA_d8; expires = Sun, 17-Jan-2038 19:14:07 GMT; path =/; domain = .google.com * B7}; W +? $ U4 o
Content-Type: text/html
$ P) i3 g: j * e3 ^ 'n1 ^! R; E9 R (C0 U-n0 v; s "V

2 m; L5 J) G8?
4 M # o-N # M & E5 V-^ % y0 h4 O0 ~; P * X # s (Q1 W -{
This is part of the HTTP Communication record captured by the HTTP Sniffer software HTTPLook + c (T & W. R * Y $ o # o8 T0]! C; q
) Q (l (x & _ 7G & x2 o
'^ 3 n4 V4 x1} 3 K' k6 e

2 z # w) z: o: O $ t
# L f0 D: R1 X) v "the G8 m browser automatically sends a cookie when accessing goolge resources again.
5 B-d8 k + k2 g + l
, E. R c "l & P! X (z8 q3 V, I
8 B, [3 J! D (e1 s/p-S7 c. T (k "E % v r * z j
/G! @(~) Q &?
Using Firefox, you can easily observe the existing cookie values.
7 s/f8 ^ 2 j8 a6 x % Y using HTTPLook with Firefox can easily understand how cookies work.
5 W/{0 H % ^ + ^/C7 N) _ # F-r (f2 Y5 B

$ ^. Z7 |. r + k8 A + O1 F, V) C + s "r; r" V-Q9 [8 s
-U6 c. w * Y, r0 l + p: @: M
IE can also be set to ask 4 L "e 'C A (q
: G # z4 u1 j $ V4 J' V

% Z1 '0 j a * q # p2 {
H5 E 'a6 y, j "K5 d7 B-W2 j
8 C) g0 J % T7 N.], M + w-x1 k This is a dialog box asking to accept cookies.
5 L & i5 y8 Q7 H % x9 h; m
8 e "S6 O:] 1 j5 y2 P 4. Understanding session mechanism # _ 3 Y x; l # N #} 8 O
The session mechanism is a server-side mechanism. The server uses a structure similar to a hash (or a hash) to save information.
-O * G o7 m't/g9 Y & _ $ S
T4 s & {+ q7 E1 '(l &' when the program needs to create a session for a client request, the server first checks whether the request of this client contains a session id called the session id. If the request contains a session id, it indicates that the client has previously created a session, the server retrieves the session according to the session id (if the session id cannot be retrieved, a new one may be created). If the client request does not contain the session id, the client creates a session and generates a session id associated with this session. The session id value should be a string that is neither duplicated nor easily found to be regular and counterfeited, this session id will be returned to the client for saving in this response. + I9 B/m/j * L l, Y2 O
"L' {# | % G + Q0 P5 B3 C/J9 w & B
The cookie can be used to save the session id. In this way, the browser can automatically display the id to the server according to the Rules during the interaction. Generally, the cookie name is similar to SEEESIONID. For example, for weblogic cookies generated by web applications, JSESSIONID = ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBng! -145788764, whose name is JSESSIONID.
* J; B8 V! /; X/F; v-X
. O2 ') c + X $? 1 K ,~ % X because the cookie can be artificially disabled, there must be other mechanisms so that the session id can still be passed back to the server when the cookie is disabled. A frequently used technology called URL rewriting is to directly append the session id to the end of the URL path. There are two additional methods, one is as the additional information of the URL path, the format is http ://..... /xxx; jsessionid = ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBng! -145788764) z & N1 D. I $ _ 4 w; S! B
The other is appended to the URL as a query string, in the form of http: //.../xxx? Jsessionid = ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBng! -145788764 | &? 6 r-c2 Y7 _ * r: V
There is no difference between the two methods for users, but they are handled differently by servers during parsing, the first method also helps to distinguish the session id information from the normal program parameters.
4 X #} 9 _ 7 Z8} (to maintain the status throughout the interaction process, v must include this session id after the path that each client may request .! Y c & U6 a "I8 J4 O, y4 [

% E. E6 {"I3 G9 g) Y another technique is called form hidden fields. The server automatically modifies the form and adds a hidden field so that the session id can be passed back to the server when the form is submitted. For example, the following form
(R$ E t, Z3 f (X9? & O, F * | 6 @ <form name = "testform" action = "/xxx">
7 The following table lists the numbers of a1 t0 _ 0/Q, r + g4 g.
</Form>
& H $] $ Z! B 'h will be rewritten to: K6 X # P-_ 'f3 J # P * n/Z before being passed to the client
<Form name = "testform" action = "/xxx"> "e8/9 S3 P8 k's & D6 T5/
<Input type = "hidden" name = "jsessionid" value = "ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBng! -145788764 ">
& V! Y0 I +] 'n' * M $ h <input type = "text">
+ F k; N8 C2 | (d "t </form>
) B4 q; _ % |.] 6 {5 d this technology is rarely used now, and I have been familiar with iPlanet6 (the predecessor of the SunONE Application Server.
& E % J4 A $ m' g/'in fact, this technology can be simply replaced by rewriting the URL of the action application.
! ''W' ^: o. y0 Y: t9 I) B9 K1 B % v
When talking about the session mechanism, we often hear the misunderstanding that "the session disappears as long as the browser is closed ". In fact, you can imagine the example of a membership card. Unless the customer initiates a card sales proposal for the store, the store will never easily Delete the customer's information. The same applies to sessions. Unless the program notifies the server to delete a session, the server will keep it. Generally, the program sends a command to delete the session when the user logs off. However, the browser will never notify the server that it is about to close before it closes, so the server will not have the opportunity to know that the browser has been closed, most session mechanisms use session cookies to save session IDs. When the browser is closed, the session id disappears, and the original session cannot be found when the server is connected again. If the cookie set by the server is saved to the hard disk, or the HTTP request header sent by the browser is rewritten by some means, the original session id is sent to the server, then you can still find the original session when you open the browser again.
; X, Z: h % v3 X *{
"~. M3 H0 N8 y "| 7 e0 ^ 4 O is precisely because closing the browser will not cause the session to be deleted, forcing the server to set an expiration time for the seesion, when the last time the client used the session exceeds the expiration time, the server can think that the client has stopped the activity before deleting the session to save storage space.
! H8 _ 1 O/T! J. w: Q + z $ [& |. X7 e + _ 1 c # t
5. Understand javax. servlet. http. HttpSession
'S0 @ 1 J3 D0} 0 h )~ HttpSession is the Java platform's Implementation specification for the session mechanism, because it is only an interface, specific to the provider of each web application server, in addition to the support for the specification, there are still some minor differences that are not specified in the specification. Here we use the Weblogic Server8.1 of BEA as an example.
0 R$ m4 t, r8 o5 y! [-P5 J
'C. z! ], Z # r. u # j, K3 C6 [/B first, Weblogic Server provides a series of parameters to control the implementation of its HttpSession, including the use of cookie switch options and the use of URL rewrite switch options, session persistence settings, session expiration time settings, and various cookie settings, such as setting the cookie name, path, domain, and cookie survival time.
(~, T-R5 'r! F! A * F2 I7} 2 M1 A: z'e * b2 Z2 w! W: '1 @ 3 q
Generally, sessions are stored in the memory. When the server process is stopped or restarted, the sessions in the memory are also cleared. If session persistence is set, the server saves the session to the hard disk. When the server process is restarted or the information can be used again, weblogic Server supports persistence methods including file, database, and client cookie storage and replication .. R' {4 f2 i8 [, Z6? 3 F

: S # k2 A4 A; L & I * V replication is not stored persistently because the session is actually stored in the memory, however, the same information is copied to the server processes in each cluster, so that even if a server process stops working, the session can still be obtained from other processes.
: U0 d/e; '& O # d1 S * A4 y & {8 Z * L4 {: |/G % Q3 K j
The cookie survival time setting affects whether the cookie generated by the browser is a session cookie. Session cookies are used by default. If you are interested, you can use it to test the misunderstanding we mentioned in section 4. U8 Z8 r I & T! G. H3 E
/}, K; u) E4 Q1 c
The cookie Path is a very important option for web applications. Weblogic Server's default processing method for this option makes it significantly different from other servers. We will discuss this topic later. 4g "z &~ /U8 N5 S

'W $ k +? 2 s5 Y: o0 R4 D & M for session settings, refer to [5] http://e-docs.bea.com/wls/docs70/webapp/weblogic_xml.html?10=69$ p! F (P-@ 5 n % Y * t) X

5 V % p + s1 v, K6 n & P & d/} 6. HttpSession FAQs
% N4 |. w6 J, I8 Z: S! A (in this section, the session meaning is a mixture of ⑤ and ⑥) 7 c ,{! /6 maid

$ L (t0 I8 a3 B6 @. D
* H9 d * y "_ E9 V + d1. When the session is created/o % A % ~! R x7 o5 Z) z
A common misunderstanding is that the session is created when a client accesses it. However, the fact is that the session is created until a server program calls HttpServletRequest. A statement such as getSession (true) is created. Note that if JSP is not displayed, <% @ page session = "false" %> disable the session, when the JSP file is compiled into Servlet, the following statement is automatically added: HttpSession session = HttpServletRequest. getSession (true); this is also the source of the implicit session Object in JSP ., Q: L! V, B + @ 6 M (W )? : S: B

W, q % O! F7 h: A; I s & X * a because the session will consume memory resources, if you do not plan to use the session, close it in all JSPs. 2 y1 R) u) E-W: M
+ X % p % G5 g & u2 [2 R: P) u
2. When the session is deleted
. A4 F' | + ^ 7 @! J + y B7 '& h w in combination with the previous discussion, the session is deleted under the following circumstances. the program calls HttpSession. invalidate (); or B. the interval between the session id sent by the client last time exceeds the session Timeout setting; or c. the server process is stopped (non-persistent session) 4 Q % p8 P4? 'C1 p-/'
8 F5 A "t T. U6/7] 7 c6 Q
3. How to delete session6 K when the browser is closed; G "_ 7 H #} 0X7 h1 s
Strictly speaking, this cannot be done. One way to do this is to use the javascript code window. oncolose on all client pages to monitor the closing action of the browser, and then send a request to the server to delete the session. However, there is no way to break down the browser or forcibly kill the process.
-I 'o, f! J; i5 v) A: n0 M-_ '{, c; t & T % c (P4 ^
4. What is an HttpSessionListener? 2 @ 2 v + V-Q % Q/m
You can create listener to monitor the creation and destruction events of sessions, so that you can do some relevant work when such events occur. Note that the listener action is triggered by the session creation and destruction, rather than the opposite. Similar listener related to HttpSession include HttpSessionBindingListener, HttpSessionActivationListener, and HttpSessionAttributeListener. 3 X/| 6 o # N $ M/l) L

! Q2 h; P' Q (U (B % V % S6 b6 _ & l. z5: must the objects stored in the session be serializable? + Y, i2 g ({2g. v * j4 U
Not required. Objects are required to be serializable only for the session to be copied in the cluster or to be permanently saved or, if necessary, the server can temporarily swap the session out of memory. If you place an unserializable object in the Weblogic Server session, you will receive a warning on the console. If a session of an iPlanet version that I have used contains an object that cannot be serialized, an Exception occurs when the session is destroyed, which is strange.
7G + H) O7 A0 g c; l4 '! C! N2? 9 e4/7 v/M5 N6 r
6. How can I properly handle the possibility of disabling cookies on the client?
8 H,} * Q. W "r1 T0 e + m & {rewrite all URLs, including hyperlinks, form actions, and redirection URLs. For more information, see [6].
1 R4 B-k X )~ | + Zhttp: // e-docs.bea.com/wls/docs70/webapp/sessions.html#100770 "M & A $ d" w (q5') N

'T; DS18B20 l0 A, Q, S-B &/7. When you open two browser windows to access the application, the same session or different session will be used.
! M #/& _) w p 'd "W6 e1 A refer to section 3 for cookie discussion. For session, the session only recognizes IDs and does not recognize people. Therefore, different browsers, different window opening methods and different cookie storage methods will affect the answer to this question.
5 W0 f1 M3 Z .@! X' F! I. C % c v! W
8. How to Prevent session confusion caused by opening two browser windows 7 m: R3 W % _ $ B '|) f. D
This problem is similar to preventing forms from being submitted multiple times. It can be solved by setting the token of the client. It means that each time the server generates a different id and returns it to the client and saves it in the session, the client must also return this id to the server when submitting the form, the program first checks whether the returned id is consistent with the value saved in the session. Otherwise, this operation has been submitted. See the section on presentation layer in J2EE Core mode. It should be noted that for the use of javascript window. generally, this id is not set for an open window, or a separate id is used to prevent the main window from being operated. in the open window, modify the settings ., F) N n x 7 e "n8}

% X &] #} 6} 1 n1 q1 @ 5 i9. Why do I need to call session. setValue again after changing the session value in Weblogic Server?
(K/x! I.} $ g $ j $ B! A #{6 Z performs this operation to indicate that the Weblogic Server session value has changed in the cluster environment, and the new session value needs to be copied to other Server processes.
"'7o3 k + [! M: S4 B
0 a + ^ (D/s "h3 B5/-q10, why does the session disappear 9 o7 H2 O! /, F + Z1 c) p
Aside from the normal failure of the session, the server itself may be very unlikely, although I have also encountered some patches in the Solaris version of iPlanet6SP1; the possibility of browser plug-ins is second to that, I have also encountered problems caused by 3721 plug-ins. Theoretically, the firewall or proxy server may also have problems in cookie processing. &':? 6 c1 u /[
Most of the reasons for this problem are program errors. The most common reason is to access another application in one application. We will discuss this issue in the next section.