Session tracking technology: Session Cookie, URL rewriting, and httpsession

 
I. session tracking technology
A session is the connection period in which a client sends a request and the server returns a response.
HTTP is a stateless protocol: Each connection is a separate connection, and the context information of the customer cannot be maintained.
Session tracking is used to maintain the communication information between the client and the server.
 
Three typical client session tracking solutions:
1. Cookie;
2. URL rewriting;
3. Hide form fields;

Ii. Session Cookie
The cookie used for session tracing is called a session cookie. In the servlet specification, the cookie name for session tracking must be JSESSIONID, which is stored in the browser memory. It is different from the cookie stored on an external storage device.
Cookies stored in the memory cannot be shared by different browser processes. Sharing can only happen in different windows of the same browser process (sharing one process for each window. Cookies stored on external devices can be shared by multiple browsers.

3. URL rewriting
If the browser does not support or disable cookies, use URL rewriting instead of cookies to track user sessions.
Each page must be dynamically generated using Servlet or JSP (dynamic page ). Because the sessionid appended to the URL is dynamically generated, the URL rewriting mechanism is powerless for Static Page jumps.
Even if a dynamic page is used, session information will be lost if the user leaves the session and returns again through bookmarks or links, because the stored Link contains incorrect identification information.
 
All URLs sent to the client must be encoded and implemented by calling the encodeurl () and encoderedirecturl () methods in the httpservletresponse interface. Use the encoderedirecturl () method before calling the sendredirect () method.
 
4. Hide form fields
It can only be used in a specific operation. Only when each page is dynamically generated by Form submission can the hidden form field be used to store relevant session information.

5. session tracking in Servlet
The javax. servlet. http. httpsession interface is a session tracking solution provided by servlet.
Httpsession objects are stored on the server side. They are only used to encapsulate cookies and URL rewriting technologies. Therefore, the server is required to support cookies and can switch globally to URL rewriting.

1. Access the session object associated with the current request: getsession (Boolean value) Method

During a session, the Web container is responsible for maintaining a unique httpsession object for the client.
For new sessions, the Web Container creates an httpsession object that implements the httpsession interface to encapsulate the information of the current request session (stored in a hash mode ).

Use the getsession () method of httpservletrequest to access the httpsession object.
In the background, the system extracts the user ID from the cookie or URL rewriting additional data. Use Id as the key to traverse the built-in hash list of the previously created httpsession object.
If no matching session ID is found, the system creates a new session. By default, a JSESSIONID is created, which uniquely identifies the output cookie that represents the session ID.
Because calling the getsession () method affects subsequent responses, you can only call the getsession () method before sending any document content to the client.

Difference: getsession (Boolean value) method: if the system does not find the session ID associated with the request, true indicates that the new session is returned. False indicates that the method returns NULL.

2. Access and set the information associated with the session to maintain the session state: the getattribute () method and setattribute () method of httpsession

Hash: Built-in data structure of the httpsession object, which is used to store the data of the current request session (Session attributes ). You can store any number of key-value pairs.
Use the getattribute () method and setattribute (string key, object Value) method of httpsession to read and set the current request session data (that is, the operation on the hash list), and maintain the session status.
The setattribute method replaces any previous attributes. If you do not want to replace this attribute, you must use the removearrtivity (string key) method to remove it before setting it.

The setattribute method triggers all valuebound methods that implement the httpsessionbindinglistener interface and performs initialization operations.
The removearrtiener method will trigger all valueunbound methods that implement the httpsessionbindinglistener interface and perform some operations to eliminate the status.

For distributed Web applications, the Web application is marked as a distributed execution. The system must be able to pass session objects between machines. In this case, the session attributes must be implemented as the serializable interface.

3. Discard session data
Only remove the data created by the self-compiled servlet: removearrti.pdf (string key) Method
(Delete in Web Application) Delete the entire session: invalidate () method. You can use this method to log out of the user.
(Delete on the Web server) unregister the user from the system and delete all sessions associated with the session: Logout () method. Be sure to coordinate the use of the loggout command with other web applications.

4. Session Timeout Interval
The getmaxinactiveinterval () and setmaxinactiveinterval () Methods read and set the maximum session storage time when no access is available. In seconds. A negative number indicates that the session never times out. Timeout is maintained by the server.

5. The last time the session was accessed by the Client: getlastaccessedtime () method
It can be used to determine the idle time of the client session between two requests.

6. Get the time when the session is created: the getcreationtime () method returns long data.

7. Return the unique ID assigned to the session, which is a string. GETID () method

6. browser and Server sessions
Browser session
By default, session tracing is based on Cookies stored in browser memory, which is different from Cookies stored on peripheral storage devices.
You need to read the jsession cookie displayed by the servlet, set the maximum validity period and path, and add it to the client. Otherwise, the session will be interrupted when you exit the browser.
Server session
The server needs to save the session in the memory. When the session is inactive, the session is removed after the specified interval (Session Timeout) is exceeded.

7. initialize and remove the objects (attributes) bound to the session. Httpsessionbindinglistener listener interface and httpsessionbindingevent event class.

The servlet container monitors the httpsessionbindingevent event by implementing the listener of the httpsessionbindinglistener listener interface.
 
Httpsessionbindinglistener listener interface method:
1. valuebound (httpsessionbindingevent event): The method notification object when the object is bound to the session. Perform initialization.
2. valueunbound (httpsessionbindingevent event): This method notifies the object when the object is removed from the session. Perform the elimination status operation.
 
Httpsessionbindingevent event method:
1. getname (): get the name of the trigger event attribute.
2. getvalue (): Get the attribute value of the trigger event.
3. getsession (): returns the session object.

8. Listener interfaces related to Java Servlet APIs.

Listener interfaces related to sessions
Javax. servlet. http. httpsessionactivationlistener: if the session is bound to a session, the servlet container notifies this object when the session is deactivated or activated.
Javax. servlet. http. httpsessionattributelistener: If you want to be notified when the attribute list in the session changes, you can implement this interface.
Javax. servlet. HTTP. httpsessionlistener: If you need to be notified after the session is created or before the session is invalid, You can implement this interface. classes that implement this interface must be configured in the deployment descriptor of the Web application.
 
Listener Interface related to servlet context:
Javax. servlet. servletcontextattributelistener: this interface is notified when the attribute list in the servlet context changes. The class that implements this interface must be configured in the deployment descriptor of the Web application.
Javax. servlet. servletcontextlistener: If you need to be notified when the servlet context object is initialized or destroyed, you can implement this interface. classes that implement this interface must be configured in the deployment descriptor of the Web application.

Listener Interface related to requests: standard definition of servlet2.4
Javax. servlet. servletrequestattributelistener: The Listener is notified when the attributes in the Servlet request object change.
Javax. servlet. servletrequestlistener: The request object is notified when it is initialized or destroyed.