Session tracking Technology: Session Cookie,url overrides and HttpSession

Source: Internet
Author: User
Tags list of attributes session id sessions unique id


One, session tracking (sessions tracking) technology
A session is a connection time period in which a client sends a request and the server returns a response.
HTTP is a stateless protocol: each time it is a separate connection, the client's contextual information cannot be maintained.
Session-tracking technology is the technology used to maintain communication information between client and server side.

Three typical client session tracking solutions:
1,cookie;
2,url rewrite;
3, hide the form field;

Second, session cookie
The cookie used for session tracking is called a session cookie. The cookie name for session tracking in the servlet specification must be jsessionid and stored in the browser's memory. differs from cookies saved on an external storage device.
For cookies stored in memory, they cannot be shared by different browser processes, and shares can only occur in different windows of the same browser process (sharing a process with a window). For cookies stored on external devices, you can share them in multiple browsers.


Third, URL rewriting
Use URL rewriting instead of cookies to track user sessions when the browser does not support or disable cookies.
Each page must be dynamically generated using a servlet or JSP (Dynamic page). Because the SessionID attached to the URL is dynamically generated, so for static page jumps, URL rewriting mechanism is powerless.
Even if a dynamic page is used, the session information is lost if the user leaves the session and comes back through a bookmark or link, because the stored link contains the wrong identity information.

All URLs sent to the client must be encoded and invoked by the Encodeurl () method and the Encoderedirecturl () method in the HttpServletResponse interface. Use the Encoderedirecturl () method before calling the Sendredirect () method.

Four, Hide form fields
Can only be used in a specific operation. Hidden form fields can be used to store related session information only when each page is dynamically generated by the form submission.

Five, session tracking in the servlet
The Javax.servlet.http.HttpSession interface is a servlet that provides session tracking solutions.
The HttpSession object is stored on the server side and is only packaged for cookies and URL rewriting techniques, so the server is required to support cookies and can switch globally to URL overrides.

1, accessing the session object associated with the current request: GetSession (Boolean value) method

During a session, the Web container is responsible for maintaining a unique HttpSession object for the client.
For a new session, the Web container creates a HttpSession object that encapsulates the current request session (the way the hash table is stored) with the HttpSession interface implemented.

Use the HttpServletRequest getsession () method to access the HttpSession object.
In the background, the system extracts the user ID from a cookie or URL rewrite attached to the data. With ID key, iterate through the hash table built in the HttpSession object created earlier.
If no matching session ID is found, the system creates a new session again. By default (cookies are not available) You also create an output cookie named Jsessionid that uniquely identifies the user representing the session ID.
Because invoking the GetSession () method affects subsequent responses, the GetSession () method can only be invoked before any document content is sent to the client.

Difference: getsession (Boolean value) method: If the system does not find a session id,true that is associated with the request, returns Xinhui. False indicates that the method returns NULL.

2, to access and set session-related information, maintain the status of sessions: HttpSession GetAttribute () method and SetAttribute () method

Hash table: A HttpSession object that stores data for the current request session (the properties of the session). Any number of key-value pairs can be stored.
The state of the session is maintained by using the HttpSession getattribute () method and the setattribute (String key,object value) method to read and set the current request session data (that is, operations on the hash table).
The SetAttribute method replaces any previous attribute. If you do not want to be replaced, you need to remove the property by using the Removearrtibute (String key) method before setting.

The setattribute method triggers all the Valuebound methods that implement the Httpsessionbindinglistener interface, and does some initialization state operations.
The Removearrtibute method triggers all Valueunbound methods that implement the Httpsessionbindinglistener interface, doing some action to eliminate the state.

For distributed web applications, where a Web application is marked as distributed execution, and the system needs to be able to pass the session objects between machines, the properties of the session need to be implemented serializable interfaces.

3, Discard session data
Remove only the data created by your own servlet: Removearrtibute (String key) method
(Delete in Web application) deletes the entire session: the Invalidate () method, which you can use to log off the user.
(Delete on the Web server) to log the user out of the system and delete all sessions associated with the session: Logout () method. Be sure to coordinate the use of LOGGOUT commands with other Web applications.

4, Session timeout interval
The Getmaxinactiveinterval () method and the Setmaxinactiveinterval () method read and set the maximum time that the session was saved without access. Seconds is the unit. A negative number indicates that the session never times out. The timeout is maintained by the server.

5, the last time the session was accessed by the client: Getlastaccessedtime () method
The inactivity time that can be used to determine the session between a client and two requests.

6, gets the time the session was created: the GetCreationTime () method returns a long type of data

7, returns the unique ID ID assigned to the session, which is a string. GetId () method

Six, browser session and server session
Browser session
By default, session tracking is based on cookies stored in browser memory, and differs from cookies stored on peripheral storage devices.
You need a servlet-displayed read Jsession cookie, set maximum aging and path, and add to the client, otherwise the session will be interrupted when you exit the browser.
Server session
The server needs to keep the session in memory and remove the session when the session is inactive beyond the set interval (session timeout).

Seven, initializes and eliminates the state of the objects (properties) that are bound to the session. Httpsessionbindinglistener Listener Interface and Httpsessionbindingevent event class.

The servlet container listens for httpsessionbindingevent events by implementing a listener for the Httpsessionbindinglistener listener interface.

Httpsessionbindinglistener Listener Interface Method:
1,valuebound (Httpsessionbindingevent Event): This method notifies the object when the object is bound to the session. Do the initialization operation.
2,valueunbound (Httpsessionbindingevent Event): This method notifies the object when it is removed from the session. Do the elimination state operation.

Httpsessionbindingevent Event Method:
1,getname (): Gets the name of the property that triggered the event.
2,getvalue (): Gets the value of the property that triggered the event.
3,getsession (): Returns the Session object.


Eight, the listener interface in the Java Servlet API.

Listener interface associated with session
Javax.servlet.http.HttpSessionActivationListener: If bound to session, the Servlet container notifies the session when it is deactivated or activated.
Javax.servlet.http.HttpSessionAttributeListener: This interface can be implemented if you want to be notified of a change in the list of attributes in the session.
Javax.servlet.http.HttpSessionListener: If you need to be notified before the session is created or before the session is invalid, you can implement this interface, and the class that implements the interface must be configured in the Web application's deployment descriptor.

Listener interfaces related to the servlet context:
Javax.servlet.ServletContextAttributeListener: Is notified when the list of attributes in the servlet context changes, and you can implement this interface, and the classes that implement the interface must be configured in the deployment descriptor of the Web application.
Javax.servlet.ServletContextListener: If you need to be notified when the servlet context object is initialized or destroyed, you can implement this interface, and the class that implements the interface must be configured in the Web application's deployment descriptor.

Listener interface associated with the request: servlet2.4 specification definition
Javax.servlet.ServletRequestAttributeListener:Servlet is notified when a property in the Request object changes.
Javax.servlet.ServletRequestListener: Notification When a request object is initialized or destroyed.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.