About session and implementation of a session method across context (JSP-servlet technology) Abstract: Although the session mechanism has been used for a long time in web applications, there are still many people don't know the essence of the session mechanism, so that it can't be correct Application technology. This article will discuss the work mechanism of session in detail and give a solution for problems such as the application of the session mechanism in Java Web Application. Directory: First, the term session II, HTTP protocol and status keep three, understand the cookie mechanism, understand the session mechanism 5, understand the Javax.Servlet.http.httpsession 6, httpsession FAQ seven, the session of the cross-adopted program Shared eight, summary reference Document 1, term session in my experience, SESSION This word is abused only in Transaction, more interesting is the meaning of Transaction and Session in certain contexts. Session, Chinese often translates as a session, which means that there is a series of operations / messages that have ended events, such as picking up a phone, dialing to hang up the phone, can be called a session. Sometimes we can see that "during a browser session, ...", the term "session here is why, refers to the opening of this period from a browser window. The most confusing "user (client) is in a session", which may refer to a series of actions of the user (in general, a series of actions related to a specific purpose, such as logging in to purchase goods The process of checking such an online shopping will sometimes be called a transaction, but sometimes it is only a connection, or it may refer to the meaning of the meaning, which can only rely on the context. 2. However, when the session is associated with the network protocol, it often implies two meanings such as "connection" and / or "keep state", "connection" refers to the establishment before communication between communication. A communication channel, such as calling until the other party picks up the phone communication, and this is written, when you go out, you can't confirm that the other party's address is correct, communication channels are not necessarily established But for the sender, communication has begun. "Keep State" means that the communication of communication can associate a series of messages, so that the messages can be dependent on each other, such as one waiter can recognize the old customers who come again and remember the last time this customer still owe a piece of money. . This example has an "a TCP session" or "a pop3 session" 3. In the era of a web server flourishing, Session has new extensions in the language of the web development, and its meaning refers to a solution for maintaining status between client and servers 4. Sometimes Session is also used to refer to the storage structure of this solution, such as "save XXX in session" 5. Since various languages for web development provide support for this solution to some extent, SESSION is also used to refer to solutions for this language in a certain degree of language. The javax.servlet.http.httpsession provided in Java is referred to as Session 6. In view of this confusion, it is no longer changing. The application of the session in this article will also have different meaning according to the context, please pay attention to distinguish.
In this article, express the meaning of the meaning of "SESSION" to express the meaning of "SESSION mechanism", use the "session" expression meaning 5, use the specific "httpsession" to express the meaning 6 II, HTTP protocol The state keeps the HTTP protocol itself is stateless, which is compliant with the HTTP protocol, and the client only needs to download some files to the server, whether it is the client or the server, there is no need to record each other's past behavior. Every request is independent, like a customer and a vending machine or an ordinary (non-member system) supermarket. However, smart (or greedy?) Will soon find that if you can provide some dynamic information generated on demand, it will make the web more useful, just like a game with a TV with a cable TV. On the other hand, this demand is forcing HTML to gradually add client behavior, and on the other hand, the CGI specification appears in the server side to respond to the dynamic request of the client, and the HTTP protocol as the transmission carrier also adds a file upload. , Cookie these features. Where the cookie's role is to solve the efforts of the HTTP protocol stateless defects. As for later SESSION mechanisms, it is another solution that holds a state between the client and the server. Let us use several examples to describe the differences and links between cookie and session mechanisms. The author used a coffee shop for a coffee shop to drink 5 cups of coffee for free, a discount of a cup of coffee, but a one-time consumption of 5 cups of coffee is minimal, then you need some way to record a certain number of customers. Imagine a few options that do not have the following: 1, the store's clerk is very powerful, you can remember the number of consumption of each customer, as long as the customer walks into the coffee shop, the clerk knows how to treat it. This approach is that the agreement itself supports state. 2. Send a card with a card, which records the number of consumption, which generally has a valid period. Each time consumption, if the customer presents this card, the consumption will be linked to the previous or subsequent consumption. This approach is to keep the state in the client. 3, send a member card, in addition to the information other than the card number, no record, each time consumption, if the customer presents the card, the clerk finds the record corresponding to this card, add some consumption information. Add some consumption information. . This approach is to keep the status at the server side. By the HTTP protocol, it does not want to make it in place for all kinds of considerations. Therefore, the following two programs become a reality choice. Specifically, the cookie mechanism uses a scheme that holds a state in the client, while the Session mechanism uses a scheme that holds a status on the server side. At the same time, we also see that since the scheme in which the server is used to keep a status in the client, the SESSION mechanism may need to be saved with the cookie mechanism to achieve the purpose of saving the identity, but in fact it has other options. Third, understanding the basic principles of the cookie mechanism Cookie mechanism is as simple as the above example, but there are several problems need to be resolved: "Member Card" is distributed; "Member Card" content; and how customers use "membership card". Orthodox cookie distribution is achieved by extending the HTTP protocol, the server adds a special instruction to the HTTP's response head to prompt the browser to generate the corresponding cookie in accordance with the instructions. However, pure client scripts can also generate cookies such as JavaScript or VBScript. The use of cookie is automatically sent to the server in the background by a certain principle of a browser. The browser checks all stored cookies, if a cookie declares declares that the range is greater than or equal to the location where the resource to be requested, the cookie is sent to the server on the HTTP request header of the request resource.
It means that McDonald's membership card can only show in McDonald's store. If a branch has released his membership card, then in addition to this store, in addition to showing McDonald's membership card, but also show members of this store. card. The content of cookie mainly includes: name, value, expiration time, path, and domain. The domain can specify a certain domain such as .google.com, which is equivalent to the store signboard, such as P & G, or specify a specific machine under a domain such as www.google.com or froogle.google.com, you can use floating Mercury. The path is to follow the URL path behind the domain name, such as / or / foo, etc., you can use a gentle counter. The path to the domain constitutes the scope of the cookie. If the expiration time is not set, it means that during the browser session, the cookie will disappear as long as the browser window is turned off. This life period is called a session cookie for the browser session. Session cookie generally does not store on the hard disk but is saved in memory, of course, this behavior is not specified. If you set an expiration time, the browser saves the cookie to the hard disk, and turn on the browser again after shutting down, which is still valid until the set expiration time is exceeded. Cookies stored on the hard disk can be shared between different browser processes, such as two IE windows. For cookies saved in memory, different browsers have different ways of processing. For IE, press Ctrl-N (or from the File Menu) on an open window to share with the original window, and the newly opened IE process in other ways cannot share the memory cookie of the open window; for Mozilla Firefox0.8, all processes and tabs can share the same cookie. Generally, the window opened with JavaScript's Window.open will share memory cookies with the original window. The browser is often bothered with a WEB application developer using the session mechanism for session cookie. Below is an example of a GoolGe setting cookie's response header HTTP / 1.1 302 Found location: http://www.google.com/intl/en-cn/ set-cookie: pref = ID = 0565f77e132de138: NW = 1: TM = 1098082649: lm = 1098082649: s = kaeacfpo49RIA_D8; Expires = Sun, 17-JAN-2038 19:14:07 gmt; path = /; domain = .google.com content-type: text / html This is HTTP Sniffer using Httplook Software to capture a part of the HTTP Communication Record that automatically sends cookies outward when accessing the resources of GoLGEGG Use Firefox to easily observe the existing cookie values Use httplook to fit Firefox can easily understand the working principle of cookies. IE can also be set before accepting cookies This is a question to accept the cookie dialog. Fourth, understanding the session mechanism The session mechanism is a server-side mechanism, and the server uses a structure similar to the hash table (possibly using a hash table) to save information.
When the program needs to create a session for a client request, the server first checks if the request has a session ID - called the session ID, if a session ID already contains, indicating that the client has been previously used Created SESSION, the server follows the session ID to retrieve this session (if the retrieval may be created), if the client request does not include the session ID, create a session for this client and generate a session The value associated with the associated session ID should be a string that is neither repeated, not easy to find the law to be patterned, this session ID will be returned to the client in this response. Save this session ID can use cookies so that the browser can automatically play this identity to the server automatically in the interaction process. Generally, this cookie name is similar to seeesionID, and. For example, WebLogic generated for web applications, jsessionid = BYOK3VJFD75APNRF7C2HMDNV6QZCEBZWOWIBYENLERJQ99ZWPBNG! -145788764, its name is JSessionID. Since cookie can be prohibited, there must be other mechanisms to pass the Session ID back to the server when cookie is disabled. A technique that is often used is called URL rewriting, which is to attach the session ID directly behind the URL path, and there are two additional modes. One is an additional information as a URL path, and the expression is http: // ... ! ../xxx;jsessionid= ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBng -145788764 another is as a query string appended to the URL, as a form of http:?! //...../xxx jsessionid = ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBng -145788764 these two methods for The user is not distinguished, but the server has different ways to process when parsing, and the first way is also advantageous to distinguish the information of the session ID and the normal program parameters. In order to always keep the state throughout the interaction, this session ID must be included in the path where each client may request. Another technology is called a form hidden field. It is the server automatically modifies the form and adds a hidden field to pass the Session ID back to the server when submitted. For example, the following form