HTTP protocol with state hold: HTTP is a stateless protocol
1. scheme to achieve state retention:
1 Modify the HTTP protocol so that it supports status (difficult to do) 2 Cookies: Maintain state information through the client
3) Session: Maintaining state information through the server sideCookies are special information that the server sends to the client. The cookie is saved as text in the client, and it is brought on every request.
2. COOKIE mechanismSession is a series of interaction between the server and the client to open up the memory space for each client, thus maintaining the state information because of the need for the client to hold an identity (ID), it also requires the server side and the client to transfer the identity, identity (ID Can be saved by means of a cookie mechanism or other means
1) The basic features of Cookies
2 problems to be solved by using cookiesCookies saved on the client can only save string objects, cannot save object types require client browser support: Clients can not support, browser users may disable cookies
Creation of cookies
What the cookie StoresTypically created on the server side (which can also be created by JavaScript) The server adds special instructions to the HTTP response header, and the browser generates the corresponding cookie after reading the instruction.
Business information ("Key", "value")
Expiration time
domain and path
browser is how to communicate through cookies and servers.
through requests and responses, cookies are loaded into the response header by a cookie passing each request and response between the server and the client,
depending on the cookie's key delivery.
3. COOKIE Programming
1) Cookie class
The Servlet API encapsulates a class: Javax.servlet.http.Cookie, which encapsulates the operation of cookies, including the public cookie (string name, string value)//construction method, Used to create a cookie httpservletrequest.getcookies ()//from the HTTP request to obtain the Cookies Httpservletresponse.addcookie ( Cookies)///To HTTP response add cookie public int getmaxage ()//Get cookie expiration value public void setmaxage (int expiry)// Set the expiration time value for a cookie
2) Creation of Cookies
A cookie is a name-value pair (Key=value), and either key or value is a string
such as: cookie visit = new Cookie ("Visit", "1");3 Type of cookie--Expiration time
Session Cookie Cookie.setmaxage (-1);//negative integer is saved in the browser's memory, which means that the browser is closed, and the cookie loses the normal cookie cookie.setmaxage (60);//positive integer, in seconds the browser does not continue to access the server within 1 minutes, and the cookie is obsolete and destroyed (usually in a file) Note: cookie.setmaxage (0); Equivalent to not supporting cookies;
4. session mechanism
The Chinese translation of the session is "conversation", and when a user opens a Web application, it generates a time with the Web server. The server uses session to temporarily save the user's information on the server, the user leaves the site after the session will be destroyed. This type of user information storage is more secure than cookies, but session has a flaw: if the Web server does load balancing, the next operation will be lost when it requests another server.
Each time the client sends a request, the service checks to see if it contains SessionID. if so, the session is retrieved according to the SessionID, and if not, a session is created and a repeating sessionid is bound.
1) Basic characteristics
State information is saved on the server side. This means that security is higher through similar and hashtable data structures to hold objects that support any type (a session can contain multiple objects)
2 Techniques for saving session IDs
Cookies
This is the default way to deliver the Jseesionid disadvantage on the client and server side : The client may disable the cookie form hidden field before being passed back to the client, add a hidden field to the form and set the Jseesionid:
<input type=hidden name=jsessionid value= "3948e432f90932a549d34532ee2394"/>
An information HttpServletResponse object that attaches to the session ID directly after the URL provides the following method: encodeurl (URL);//url is a relative path
5. Session Programming
1) HttpSession interface
The Servlet API defines an interface: Javax.servlet.http.HttpSession, which the servlet container must implement to track the state. when the browser establishes an HTTP session with the Servlet container, the container automatically generates a HttpSession object through this interface
2) Get session
The HttpServletRequest object gets the session, returns HttpSession: request.getsession ();//means that if the sessions object does not exist, a new one is created Request.getsession (TRUE); Equivalent to the above sentence; If the session object does not exist, a new conversation Request.getsession (false) is created;//indicates that if the session object does not exist, it returns NULL, and no new conversation object is created
3 Session Access information
Session.setattribute (String name,object o)//Save information in session Object Session.getattribute (string name)// Get information from the session object by name
4 to set the effective time of session
The public void setmaxinactiveinterval (int interval) sets the maximum inactive interval, in seconds, and if the argument interval is a negative value, it is never obsolete. Zero does not support session.
To set a session timeout by configuring Web.xml, in minutes
allow two ways to coexist, but the former has higher priority<seesion-config> <session-timeout>1</session-timeout> </session-config>
5 Other common API
6. Comparison of Cookie and session tracking mechanism
Cookie session remains on the client side of the server can only keep string objects support various types of objects the type of cookie that distinguishes cookies through expiration time value requires SessionID to maintain communication with the client Session cookie--negative Cookie (default) normal cookie--positive number list hidden field does not support cookie--0 URL rewrite
7.tokenApplication areas: Web transactions need to save the state of the time, can be used, such as in a distributed scenario can use distributed session technology.
Token means "token", is the user authentication method, the simplest token composition: UID (user unique identity), time (the timestamp of the current time), sign (signed, by the token of the first few + Salt is compressed into a certain length of hexadecimal string by hashing algorithm to prevent malicious third party stitching token request server. also can put the invariable parameter also puts in the token, avoids many times to check the storehouse.
The difference between 8.token and session
Session is an HTTP storage mechanism designed to provide a persistent mechanism for stateless HTTP. The so-called session certification is simply to store the user information into the session, because the unpredictability of the SID, for the moment is considered safe. This is a means of authentication. and Token, if referring to the OAuth Token or similar mechanism, provides authentication and authorization, authentication is for users, authorization is for app. The goal is to give an app a right to access information about a user. The token here is the only one. It cannot be transferred to other apps, nor can it be transferred to other users. Turn around and say session. Session only provides a simple authentication, that is, there is this SID, that is, the full rights of this user. Is strictly confidential, this data should only exist on the station side, should not be shared to other sites or third-party apps. So simply, if your user data might need to be shared with a third party, or allow a third party to invoke API interfaces, use Token . If you are always your own site, your App, it doesn't matter what you do with it.
Token is a token, for example, when you authorize (login) a program, he is a basis to determine whether you have authorized the software, cookies are written in the client's TXT file, which includes your login information and so on, so that the next time you log on to a website, Automatically invokes the cookie to automatically log in to the username ; The session is almost the same as the cookie , except that the session is written on the server side of the file and also needs to be written on the client Cookie file, but your browser number is in the file . the session state is stored on the server side and the client has only the session ID; token the state is stored on the client .
Reference Source: http://blog.csdn.net/jikeehuang/article/details/51488020 Reference Source: https://www.zhihu.com/question/31079651/ answer/136106134
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
