The Android client keeps the same session as the server

Recently, during the development of the project, I encountered an issue where Android and the Web server were communicating under the same session.

Review the session and Cookiebefore solving the problem:

Both the cookie and the session are used to save state information, which is a mechanism for preserving the state of the client, and they are all efforts to resolve the problem of HTTP stateless.

Sessions can be implemented with cookies, or by the mechanism of URL writeback.

There are obvious differences between the cookie and the session:

1) The cookie saves the state on the client, and the session saves the State on the server side;

2) Cookies are small pieces of text that the server stores on the local machine and are sent to the same server with each request. The Web server sends cookies to the client using HTTP headers, and in the client terminal, the browser parses the cookies and saves them as a local file, which automatically binds any requests from the same server to these cookies.

3) session is for each user, the value of the variable is saved on the server, with a sessionid to distinguish between different user session variables, this value is accessed by the user's browser when the server is returned, when the customer disables the cookie, This value may also be set to be returned to the server by get;

4) As far as security is concerned: when you visit a site that uses a session and create a cookie on your own machine, it is recommended that the session mechanism on the server side be more secure. Because it does not arbitrarily read the information stored by the customer.

Session mechanism

The session mechanism is a server-side mechanism that uses a hash-like structure (or perhaps a hash table) to hold information.

When a program needs to create a session for a client's request, the server first checks to see if a session ID is included in the client's request-called the session ID. If it contains a session The ID indicates that the session was previously created for this client, and the server retrieves the session using the session ID (if it is not retrieved, it may create a new one) if the client request does not include the session ID. Creates a session for this client and generates a session Id,session ID value associated with this session should be a string that is neither duplicated nor easily found to mimic the pattern, this session The ID will be returned to the client in this response to be saved.

How the session is implemented

1) Use cookies to achieve

The server assigns a unique jsessionid to each session and sends it to the client via a cookie.

When the client initiates a new request, it will carry the Jsessionid in the cookie header. This allows the server to find the session corresponding to this client.

2) Use URL echo to implement

URL writeback means that the server carries Jsessionid parameters in all links sent to the browser page, so that the client clicks on any link to bring Jsessionid to the server.
If you enter a URL directly into the browser to request a resource, the session is not matched.

Tomcat's implementation of the session is the beginning of a simultaneous use of cookie and URL writeback mechanism, if the discovery of the client support cookie, continue to use the cookie, stop using the URL writeback. If a cookie is found to be disabled, URL writeback is always used. When the JSP development process to the session, the link in the page remember to use Response.encodeurl ().

after reviewing the session and the cookie, let's say why the phone-to-server interaction is not implemented under the same session ?

1) The reason is simple because the Android phone does not set SessionID to the HTTP request header when accessing the Web server, while using a Web browser as a client Access server, each time the client initiates a request, The Sessionid:jsessionid in the interaction is set in the cookie header, and the server gets the corresponding session based on the SessionID, rather than recreating a new session (except for this session failure).

Take the Java.net.HttpURLConnection initiation request as an example:

To obtain a cookie:

URL url = new URL (requrl);
HttpURLConnection con= (httpurlconnection) url.openconnection ();
Get SessionID.
String cookieval = Con.getheaderfield ("Set-cookie");
String SessionID;
if (cookieval! = null) {
SessionID = cookieval.substring (0, Cookieval.indexof (";"));
}

SessionID value format: jsessionid=ad5f5c9eeb16c71ec3725dbf209f6178, is a key-value pair, not a single-finger value

Send Settings Cookie:

URL url = new URL (requrl);
httpurlconnectioncon= (HttpURLConnection) url.openconnection ();
if (SessionID! = null) {
Con.setrequestproperty ("Cookie", SessionID);
}

As long as the SessionID is set up, the Web server will automatically search for the corresponding session when it accepts the request, thus guaranteeing the session in the same conversation.

Article Source: Http://hi.baidu.com/cuihenrychl/item/a08e18268a01461577272ce4

The Android client keeps the same session as the server