Two implementation mechanisms of session

Some basic things are almost forgotten .....

1. Implement session based on cookies

The principle of Session object is that the server can create and maintain a so-called Session object for the client to store data. When a session object is created, the server generates a unique ID for the session object, which is called the sessionid. The server stores the sessionid in the client as a cookie. When the browser accesses the server again, it will take the sessionid as the cookie information to the server. The server can retrieve and access the previous session object through the sessionid. Note that only one sessionid is saved in the cookie at this time, and a large amount of session data is stored in the session object corresponding to the server, which is maintained by the server in a unified manner, this ensures session data security to a certain extent, but increases the memory overhead on the server.
The cookie stored on the client to save the sessionid will be cleared when the browser is closed. The interaction process starts when a user opens a browser to access an application. The interaction process ends when the browser is closed is called a "session ". A session may send multiple requests to the same application. These requests share a session object because these requests carry the same sessionid.
1. session Working Principle
The following servlet is used to demonstrate the working principle of the session:

Public void doget (httpservletrequest request, httpservletresponse response) throws servletexception, ioexception {response. setcontenttype ("text/html"); printwriter out = response. getwriter (); string option = request. getparameter ("option"); If ("CREATE ". equals (option) {// obtain the httpsession object httpsession session = request. getsession (); // sets the maximum non-active interval of the session object. setmaxinactiveinterval (30); // obtain Sessi List of data in on = (list) session. getattribute ("list"); If (list = NULL) {list = new arraylist (); list. add ("hey"); // Add data sessions to sessions. setattribute ("list", list);} else {list. add ("hey");} Out. println (list);} elseif ("invalidate ". equals (option) {httpsession session = request. getsession (false); If (session! = NULL) {// invalidate the session object session. invalidate ();}}

The servlet URL-pattern is/testsession.
When the browser request address ".../TST/testsession? Option = create ", the servlet calls the getsession method of the request to obtain the session object. If the server has a session object corresponding to the sessionid (carried as cookie information) in the request information, this session object is returned. Otherwise, a new session object will be created and the generated sessionid will be sent back in the form of a cookie through response information. Note: The setmaxinactiveinterval method of the session object is used to set the maximum inactive interval in seconds. If the session object is not accessed during this period, the session object will become invalid. This value should be properly set to ensure the server performance and security considerations (maxinactiveinterval for session in Tomcat will be set by default ). If setmaxinactiveinterval is set to a negative value, the session will never expire. In addition, session objects access data through the setattribute and getattribute methods respectively, and data is stored as "name-object" pairs. The HTTP information of the request and response corresponding to the request is:

Request: Get/TST/testsession? Option = create HTTP/1.1 accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg, application/X-Shockwave-flash, application/X-Silverlight, ** accept-language: ZH-CN UA-CPU: x86 accept-encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: 192.168.5.100: 8080 connection: keep-alive COOKIE: JSESSIONID = c69b3053c575ecc8c7fcaf7d189a4fd1 response HTTP/1.1 200 OK server: APACHE-Coyote/1.1 Content-Type: text/html; charset = ISO-8859-1 Content-Length: 12 Date: Sun, 29 Jun 2008 07:20:41 GMT [HEY, HEY]

Note: The sessionid carried in the request information is consistent with the previous sessionid. In addition, there are two "hey" in the HTML text returned by the response, because this request servlet places another string object in the list object stored in the session.

When the browser requests ".../TST/testsession? Option = invalidate ", the servlet will call the invalidate method of the session object to invalidate the session object. It should be noted that the method for obtaining the session object at this time is the overloaded getsession (Boolean B) A boolean parameter indicates whether to create a new session when the current request is not associated with a session object on the server side (when the parameter is true) or return NULL (when the parameter is false ).

2. url-based Rewriting

From the above introduction, we can see that the normal use of session objects depends on cookies. If the client browser may disable the cookie for security reasons, the URL rewrite method should be used to make the session continue to take effect when the client disables the cookie.
There are two JSP pages below: 1. A string type object named "hi" is saved to the session object in JSP. You can use the hyperlink to link to 2.jsp. in 2.jjsp, the object named "hi" in the session is obtained and displayed on the page. Note that the URL of the super-level link in 1.jsp is not directly written as "2. jsp", but is processed through the encodeurl method of resopnse.
1. jsp

<%session.setAttribute("hi","Do you work or are you a student?");%><a href="<%=response.encodeURL("2.jsp")%>">2.jsp</a> 

2. jsp

<%=session.getAttribute("hi")%>

Disable the cookie of the browser (restart IE), request 1.jsp, and click link to 2.jsp. the interaction process involves two requests and the corresponding HTTP information is as follows:

Request 1.jsp get/TST/session/1.jsp HTTP/1.1 accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg, application/X-Shockwave-flash, application/X-Silverlight, ** Referer: http: // 192.168.5.100: 8080/TST/session/1.jsp accept-language: ZH-CN UA-CPU: x86 accept-encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: 192.168.5.100: 8080 connection: keep-alive response: HTTP/ 1.1 200 OK server: APACHE-Coyote/1.1 Content-Type: text/html; charset = ISO-8859-1 Content-Length: 33 Date: Sun, 29 Jun 2008 07:31:36 GMT do you work or are you a student?

Note: Because the cookie is disabled, although the request header does not contain the sessionid information, the sessionid information is transmitted to the server as part of the request address, this is the meaning of URL rewriting.
The response encodeurl method determines whether to write sessionid information to the link address based on whether the browser does not support cookies.