HTTP protocol with state hold: HTTP is a stateless protocol
1. scheme to achieve state retention:
1 Modify the HTTP protocol so that it supports status (difficult to do) 2 Cookies: Maintain state information through the client
Cookies are special information that the server sends to the client. The
cookie is saved as text in the client, and it is brought on every request.
3) Session: Maintaining state information through the server side
Session is a series of interaction between the server and the client to
open up the memory space for each client, thus maintaining the state information because of the
need for the client to hold an identity (ID), it also requires the server side and the client to transfer the identity,
identity (ID Can be saved by means of a cookie mechanism or other means
2. COOKIE mechanism
1) The basic features of Cookies
Cookies saved on the client can
only save string objects, cannot save object types
require client browser support: Clients can not support, browser users may disable cookies
2 problems to be solved by using cookies
Creation of cookies
Typically created on the server side (which can also be created by JavaScript) The
server adds special instructions to the HTTP response header, and the browser generates the corresponding cookie after reading the instruction.
What the cookie Stores
Business information ("Key", "value")
Expiration time
domain and path
browser is how to communicate through cookies and servers.
through requests and responses, cookies are loaded into the response header by a cookie passing each request and response between the server and the client,
depending on the cookie's key delivery.
3. COOKIE Programming
1) Cookie class
The Servlet API encapsulates a class: Javax.servlet.http.Cookie, which encapsulates the operation of cookies, including the public
cookie (string name, string value)//construction method, Used to create a cookie
httpservletrequest.getcookies ()//from the HTTP request to obtain the Cookies
Httpservletresponse.addcookie ( Cookies)///To HTTP response add cookie public
int getmaxage ()//Get cookie expiration value public
void setmaxage (int expiry)// Set the expiration time value for a cookie
2) Creation of Cookies
A cookie is a name-value pair (Key=value), and either key or value is a string
such as: cookie visit = new Cookie ("Visit", "1");
3 Type of cookie--Expiration time
Session Cookie
Cookie.setmaxage (-1);//negative integer is
saved in the browser's memory, which means that the browser is closed, and the cookie loses the
normal cookie
cookie.setmaxage (60);//positive integer, in seconds the
browser does not continue to access the server within 1 minutes, and the cookie is obsolete and destroyed (usually in a file)
Note:
cookie.setmaxage (0); Equivalent to not supporting cookies;
4. session mechanism
The Chinese translation of the session is "conversation", and when a user opens a Web application, it generates a time with the Web server. The
server uses session to temporarily save the user's information on the server, the user leaves the site after the session will be destroyed.
This type of user information storage is more secure than cookies, but session has a flaw:
if the Web server does load balancing, the next operation will be lost when it requests another server.
Each time the client sends a request, the service checks to see if it contains SessionID.
if so, the session is retrieved according to the SessionID, and if not, a session is created and a repeating sessionid is bound.
1) Basic characteristics
State information is saved on the server side. This means that security is higher
through similar and hashtable data structures to hold
objects that support any type (a session can contain multiple objects)
2 Techniques for saving session IDs
Cookies
This is the default way to deliver the Jseesionid disadvantage on the client and server side
: The client may disable the cookie
form hidden field
before being passed back to the client, add a hidden field to the form and set the Jseesionid:
<input type=hidden name=jsessionid value= "3948e432f90932a549d34532ee2394"/>
URL Rewrite
An information HttpServletResponse object that attaches to the session ID directly after the URL
provides the following method:
encodeurl (URL);//url is a relative path
5. Session Programming
1) HttpSession interface
The Servlet API defines an interface: Javax.servlet.http.HttpSession, which the servlet container must implement to track the state.
when the browser establishes an HTTP session with the Servlet container, the container automatically generates a HttpSession object through this interface
2) Get session
The HttpServletRequest object gets the session, returns HttpSession:
request.getsession ();//means that if the sessions
object does not exist, a new one is created Request.getsession (TRUE); Equivalent to the above sentence; If the session object does not exist, a new conversation
Request.getsession (false) is created;//indicates that if the session object does not exist, it returns NULL, and no new conversation object is created
3 Session Access information
Session.setattribute (String name,object o)//Save information in session
Object Session.getattribute (string name)// Get information from the session object by name
4 to set the effective time of session
The public void setmaxinactiveinterval (int interval)
sets the maximum inactive interval, in seconds,
and if the argument interval is a negative value, it is never obsolete. Zero does not support session.
To set a session timeout by configuring Web.xml, in minutes
<seesion-config>
<session-timeout>1</session-timeout>
</session-config>
allow two ways to coexist, but the former has higher priority
5 Other common API
6. Comparison of Cookie and session tracking mechanism
Cookie session remains on the
client side of the server
can only keep string objects support various types of objects the
type of cookie that distinguishes cookies through expiration time value requires SessionID to maintain communication
with the client Session cookie--negative Cookie (default)
normal cookie--positive number list hidden field
does not support cookie--0 URL rewrite
Application areas: Web transactions need to save the state of the time, can be used, such as in a distributed scenario can use distributed session technology.
7.token
Token means "token", is the user authentication method, the
simplest token composition: UID (user unique identity), time (the timestamp of the current time),
sign (signed, by the token of the first few + Salt is compressed into a certain length of hexadecimal string by hashing algorithm to prevent malicious third party stitching token request server.
also can put the invariable parameter also puts in the token, avoids many times to check the storehouse.
The difference between 8.token and session
Session is an HTTP storage mechanism designed to provide a persistent mechanism for stateless HTTP. The so-called session certification is simply to store the user information into the session, because the unpredictability of the SID, for the moment is considered safe. This is a means of authentication. and Token, if referring to the OAuth Token or similar mechanism, provides authentication and authorization, authentication is for users, authorization is for app. The goal is to give an app a right to access information about a user. The token here is the only one. It cannot be transferred to other apps, nor can it be transferred to other users. Turn around and say session. Session only provides a simple authentication, that is, there is this SID, that is, the full rights of this user. Is strictly confidential, this data should only exist on the station side, should not be shared to other sites or third-party apps. So simply, if your user data might need to be shared with a third party, or allow a third party to invoke API interfaces, use Token . If you are always your own site, your App, it doesn't matter what you do with it.
Token is a token, for example, when you authorize (login) a program, he is a basis to determine whether you have authorized the software, cookies are written in the client's TXT file, which includes your login information and so on, so that the next time you log on to a website, Automatically invokes the cookie to automatically log in to the username ; The session is almost the same as the cookie , except that the session is written on the server side of the file and also needs to be written on the client Cookie file, but your browser number is in the file . the session state is stored on the server side and the client has only the session ID; token the state is stored on the client .
Reference Source: http://blog.csdn.net/jikeehuang/article/details/51488020 Reference Source: https://www.zhihu.com/question/31079651/ answer/136106134