Full access to session-related knowledge
Abstract: Although the session mechanism has been adopted in web applications for a long time, many people still do not know the nature of the session mechanism, and even cannot correctly apply this technology. This article will discuss in detail the working mechanism of the session and answer frequently asked questions about the application of the session mechanism in Java web applications. * P0 W9 i6 l1 O % E) F/u $ S % S
; Y9 A) S & h: w5 Y
Directory:
9] 3 B4} 0 g9 I/@ % N 1. Term session7 P! L/X4 x R3 [4 R3 y8? $ I
Ii. HTTP protocol and status maintenance
3 Q3 N # y) |) g $ W-L 3. Understand cookie Mechanism
6 m6 d, @/m $[9 X (v "L2 h 4. Understanding session mechanism % Z! S # | 2 h &] 7 Q & w3 X7 S + t
5. Understand javax. servlet. http. HttpSession9 a9 h7 T "y # y! F6 x1 H
Vi. HttpSession FAQs
4 @ & d6 q3 U. S1 f/y; f 7. Cross-Application session sharing 2 f -~ & '$ '! E5 T "j
VIII. Summary
& S-r * C5 ~ 3 c9 Y: u + _ 9 O reference document 4 n7 b7 X/B %] & w1 t + s &}
3 _ 1 d # j2] 7 n0 m1 r4 y8 | * e
I. Term session
. R5 l8 E3 H * '7 h7 M0 '/t in my experience, the word session is abused to a level second to transaction, what's more interesting is that transaction and session have the same meaning in some contexts.
1 v4 M + S6 U8 F6 m # h "v
$ C #] * h)} 4 | * E: z m (l8 esession, which is often translated as a session in Chinese. Its original meaning refers to a series of actions/messages starting and ending, for example, a series of processes from picking up a phone call and dialing to hanging up a phone call can be called a session. Sometimes we can see this: "during a browser session ,... the term session here uses its original meaning, which refers to the period from opening a browser window to closing it. The most confusing is the phrase "a user (client) is in a session", which may refer to a series of actions of the user (generally a series of actions related to a specific purpose, for example, an online shopping process, from login to purchase of goods to checkout and logout, is also called a transaction. However, sometimes it may only refer to a connection, it may also be the meaning ①, where the difference can only be inferred by context ②.
'M6 f "Z $ i6 X3 o $ J. W, {'y: A, e) l/} 4 y &} + m $ O2 A $ h
However, when a session is associated with a network protocol, it often implies two meanings: "connection-oriented" and "/" persistence, "connection orientation" refers to the establishment of a communication channel before the communication parties establish a communication channel, such as a phone call, until the other party receives a telephone communication. In contrast, it refers to writing a letter, when you send a letter, you cannot confirm whether the address of the other party is correct. The communication channel may not be established, but for the sender, the communication has started. "Keep status" means that the communication party can associate a series of messages so that messages can be mutually dependent, for example, a waiter can recognize an old customer who has visited the store again and remembers that the customer still owes a dollar to the store. Examples of this type include "One TCP session" or "one POP3 session" ③. (} 3 k'c8 L1 {+ u # T2 P
1 z7 u7 P7 P' Z! F (B
In the era of vigorous development of web servers, session semantics in the context of web development has been expanded, it refers to a kind of solution that maintains the status between the client and the server. Sometimes session refers to the storage structure of this solution, such as "Saving xxx in session" ⑤. Various languages used for web development provide support for this solution to a certain extent. Therefore, in a specific language context, session is also used to refer to the solution of this language, for example, the javax. servlet. http. httpSession is short for session 6. 8 [) g; Y! K4/
8 p $ m4 J.
2 m: @ 0 o) _ # p, k-[-V in this article, use the Chinese "browser session period" to express the meaning ①, use the "session mechanism" to express the meaning (4), use "session" to express the meaning (5), and use the specific "HttpSession" to express the meaning (6) Q3 O # x $ s + M1 O8 S
; Q. ^ & O3 z/H: B t5 P1 h "L
Ii. HTTP protocol and status Persistence: W9 B # F7 c5 @ "x" B + R$ T: G
The HTTP protocol itself is stateless, which is consistent with the original purpose of the HTTP protocol. The client simply needs to request the server to download some files, there is no need to record the previous behavior of each other on both the client and server. Each request is independent, like a customer, a vending machine, or a common (non-membership) the relationships between supermarkets are the same. $ T8 j-F6 H % t & c! G;
(E7 h6 F/X % r r4 I; C is clever (or greedy ?) People soon discovered that providing on-Demand dynamic information will make the web more useful, just like adding the on-demand function to cable TV. On the one hand, this requirement forces HTML to gradually add client behaviors such as forms, scripts, and DOM, and on the other hand, there is a CGI specification on the server side to respond to dynamic requests from the client, the HTTP protocol, which acts as the transmission carrier, also adds the file upload and cookie features. Among them, cookies are used to solve the stateless defects of HTTP. As for the later session mechanism, it is another solution that maintains the status between the client and the server.
"|; Z0 E 'q; | 3 k4 I-l! A9 ?) K "A + a0 O! _/@ & G
Let's use several examples to describe the difference and connection between the cookie and session mechanism. I often went to a coffee shop and offered a free discount for five coffee cups. However, there is little chance of consuming five coffee cups at a time, in this case, you need to record the consumption quantity of a customer in some way. Imagine the following solutions:
1 H6 o5 M % q4 k $ f'p; B: s1 O-] 5 l8 j1. The store clerk is very good and can remember the consumption quantity of each customer, as soon as the customer enters the coffee shop, the clerk will know what to do. This method is supported by the protocol itself .; U! @-V "K (@ 1 x +} 2 u
2. Send a card to the customer, which records the consumption quantity and generally has a validity period. For each consumption, if the customer shows this card, the current consumption will be associated with the previous or later consumption. This approach is to maintain the status on the client. 2 s2 s7 H9 V % L-r7 y
3. Send a membership card to the customer. No information except the card number is recorded. If the customer shows the card at each purchase, then the clerk finds the log corresponding to this card number in the store's record to add some consumption information. This approach is to maintain the status on the server side.
$ C # W % t1 V $ O * o4 y' R % v
"V. {3 D5 G * j! V + R, P! _ Because the HTTP protocol is stateless and does not want it to be stateful for various reasons, the next two solutions will become a realistic choice. Specifically, the cookie mechanism adopts the client-side persistence scheme, while the session mechanism adopts the server-side persistence scheme. At the same time, we can also see that because the server-side persistence scheme also needs to save an identifier on the client, the session mechanism may need to use the cookie Mechanism to save the identifier, but in fact it has other options. ${1 Y (k f6 x
(B/I: S % X. M' x0 g7 @
3. Understanding cookie Mechanism
, [2 g7 H6? 7 W' | the basic principle of the & V % Scookie mechanism is as simple as the above example, but there are several problems to solve: how to distribute "membership cards" and the content of "membership cards; and how the customer uses the "membership card ".
;} $ X! I, M &} 4 F: ^ 0 O "w6 g-}. H (W
The orthodox cookie distribution is implemented by extending the HTTP protocol. The server prompts the browser to generate the corresponding cookie by adding a special line in the HTTP response header. However, pure client scripts such as JavaScript or VBScript can also generate cookies.
) W + d. D6 N f * a7 l, w o5 g t * Q: P! B1 s
Cookies are automatically sent to the server in the background by the browser according to certain principles. The browser checks all stored cookies. If the declared range of a cookie is greater than or equal to the location where the requested resource is located, the cookie is attached to the HTTP request header of the requested resource and sent to the server. This means that the McDonald's membership card can only be presented in the McDonald's store. If a branch still has its own membership card, in addition to the McDonald's membership card, the store's membership card is also presented.
& K + U7 d3 d # W # q'p (G6 {$ n; e, R! V7 L8 p # A4 r (L5 X
Cookie content mainly includes: name, value, expiration time, path and domain.
0 m3 C 7 m2 N $ h2 k2 O 'N': _ a domain can specify a domain such as .google.com, which is equivalent to a main store sign, such as Procter & Gamble, you can also specify a specific machine in a domain, such as www.google.com or froogle.google.com. You can use rejoice to make the ratio.
The 'z "V (F) S3 J3 a/H9 @ 5 Z path is the URL path following the domain name, such as/or/foo. You can use a certain rejoice counter to compare it.
(F $ I (R$]! {The combination of paths and domains constitutes the scope of cookie.
"R5 Q # M, W/e; 'if no expiration time is set, it indicates that the cookie's life cycle is the browser session period, and the cookie disappears as long as the browser window is closed. This cookie is called a session cookie. Session cookies are generally stored in the memory instead of on the hard disk. Of course, this behavior is not standardized. If the expiration time is set, the browser will save the cookie to the hard disk, and then open the browser again. These cookies are still valid until the preset expiration time is exceeded. : X "B4 u + E * r'l *} (z
9 N: G (o % c: s1 O Cookies stored on the hard disk can be shared among different browser processes, such as two IE Windows. For Cookies stored in the memory, different browsers have different processing methods. For IE, pressing Ctrl-N (or from the File menu) in an open window can share the window with the original window, other new IE processes cannot share the memory cookies of opened windows. for Mozilla Firefox0.8, all processes and tabs can share the same cookies. Generally, the window opened with window. open in javascript will share the memory cookie with the original window. The browser often causes a lot of trouble for web application developers who use the session mechanism to process session cookies.