Technical Analysis Report: 2004-09-02
Protected principal: Cookie Closure and Java Servlet Session Processing Discussion
The servlet session (httpsession) object is generated when the user first accesss the web server, the server generates a unique session ID to represent this client, including this session ID in each request after the browser (possibly Is using cookies or URL REWRITI, this detail doesn't have to worry about you), the server is based on this session ID, you can use the getId () method to get the session ID, for example::
<%
Out.println ("session ID:" session.getiD ());
%>
The SESSION ID is displayed is as follows:
SESSION ID: 2F892EDF2669858811B8D121119AE90B
The session ID is default to store this message to the client when the request is sent to the server, and the server will not be turned on according to the session ID. If the cookie is not turned on, the browser will not be able to store the session ID. It is also not possible to transfer the message of the session ID to the server, and it is impossible to track, even if the data object is indeed stored in httpsession, we can not take it out, the following program will only be close to the browser cookie function. Display session not found, reset! Message:
<% @ Page ContentType = "Text / HTML; Charset = BIG5"%>
<%
IF (session.getattribute ("info") == NULL) {
Session.SetaTRibute ("Info", "Session Information");
Out.println ("Session Not Found, RESET!");
}
Else
Out.println ("session found:" session.getattribute ("info"));
%>
H1>
body>
html>
If the cookie function is turned off, the session ID cannot be stored, and it cannot be sent to the server when the next request is requested. In order to make the process tracking, we must perform the URL REWRITI to transfer the session ID, and fortunately there is a simple method. Help you perform this action, using Response's EncodeURL () can automatically enhance the session ID in the URL, for example:
<% @ Page ContentType = "Text / HTML; Charset = BIG5"%>
<% IF (session.getattribute ("info") == NULL) {
Session.SetaTRibute ("Info", "Session Information");
Out.println ("Session Not Found, RESET!");
}
Else
Out.println ("session found:" session.getattribute ("info"));
Out.println ("
Session Not Found, Reset!
H1>
body>
html>
Simply put, press the URL REWRITI connection, the browser can transfer the session ID to the server, however, the message ID will appear on your URL:
Http: // localhost: 8080 / myjsp / sessionDemo.jsp; jsessionID = 7A2A0BFA32D002D8BB80A5E690A9D10
This is a dangerous message, and anyone can process tracking as long as you get this message in the SSSI survival period, so basically recommends that the user turns on the cookie function to prevent the session ID to be exposed to the URL. We will not work in a topic of the topic, if we will not work in the case of the cookie function, we must rewrite the login.jsp:
<% @ Page ContentType = "text.html; charset = BIG5"%>
<%
String User = Request.getParameter ("User");
String password = Request.getParameter ("password");
String MemberURL = "http: // localhost: 8080 / myjsp / member.jsp";
String loginformurl = "http: // localhost: 8080 / myjsp / form.html"; if (user == null || password == null) {
Response.setHeader ("Refresh", "0;" loginformurl;
}
Else IF (User.equals ("Justin" && password.equals ("1234")) {
Session.setttribute ("User", User;
MemberURL = response.Encodeurl (MemberURL);
Response.setHeader ("Refresh", "3;" MemberURL);
Out.println (user "Welcome to login! After 3 seconds, enter the member page!");
}
Else {
Response.setHeader ("Refresh", "3;" loginformurl;
Out.println ("Users or password errors, please log in (returned to the login form after 3 seconds)");
}
%>
Or you can directly use the response's sendRedirect () method, because sendirect () requires a complete address message, that is, an address message that includes http: //, you can use the response's EncoderedirectURL () to pass this address, the same If the cookie is turned on, it is just the original, and we can also rewrite the login.jsp programs as follows:
<% @ Page ContentType = "text.html; charset = BIG5"%>
<%
String User = Request.getParameter ("User");
String password = Request.getParameter ("password");
String MemberURL = "http: // localhost: 8080 / myjsp / member.jsp";
String loginformurl = "http: // localhost: 8080 / myjsp / form.html";
IF (user == null || password == null) {
Response.setHeader ("Refresh", "0;" loginformurl;
}
Else IF (User.equals ("Justin" && password.equals ("1234")) {
Session.setttribute ("User", User;
MemberURL = response.EncoderedirectURL (MEMBERURL);
Response.sendRedirect (MemberURL);
}
Else {
Response.setHeader ("Refresh", "3;" loginformurl;
Out.println ("Users or password errors, please log in (returned to the login form after 3 seconds)");
%>
Session has its survival period, close your browser, server shutdown may make session fail, when the client stops the activity for a while (Tomcat preset is 30 minutes), Session will automatically invalid, you can use getMaxInactiveInterval () to get the wait period of the session, The value obtained in seconds, or sets the waiting period with setMaxinactiveInterval (), and the set value is also in seconds:
<%
Out.println ("Default session life:" session.getMaxinactiveInterval ());
Session.setMaxinActiveInterval (600);
Out.println ("now session life:" session.getMaxinactiveInterVal ());
%>
You can set the preset session waiting deadline in web.xml, use
10
session-timeout>
session-config>
The above example has passed Tomcat test, see the DEMO program 192.168.1.10 (http://192.168.1.10:8080/demo)