Session mechanism in web application

xiaoxiao2021-03-05  48

Abstract: Although the session mechanism has been used for a long time in web applications, there are still many people unclear the essence of the session mechanism, so that this technology cannot be applied. This article will discuss the work mechanism of session in detail and give a solution for problems such as the application of the session mechanism in Java Web Application.

table of Contents:

First, the term session

Second, HTTP protocol and status keep

Third, understand the cookie mechanism

Fourth, understand the session mechanism

5. Understand javax.servlet.http.httpsession

6. HTTPSESSION FAQ

7. SESSION sharing of cross-adapter programs

Eight, summary

Reference documentation

First, the term session

In my experience, the word SESSION is probably only second only to Transaction, and more interesting is the meaning of Transaction and Session in certain contexts.

Session, Chinese often translates as a session, which means that there is a series of operations / messages that have ended events, such as picking up a phone, dialing to hang up the phone, can be called a session. Sometimes we can see that "during a browser session, ...", the term "session here is why, refers to the opening of this period from a browser window. The most confusing "user (client) is in a session", which may refer to a series of actions of the user (in general, a series of actions related to a specific purpose, such as logging in to purchase goods The process of checking out such an online shopping will sometimes be referred to as a transaction, but sometimes it is also just a connection, or it may refer to the meaning of 1, where the difference can only be inferred 2.

However, when the session is associated with the network protocol, it often implies two meanings such as "connection" and / or "keep state", "connection" refers to the establishment before communication between communication. A communication channel, such as calling until the other party picks up the phone communication, and this is written, when you go out, you can't confirm that the other party's address is correct, communication channels are not necessarily established But for the sender, communication has begun. "Keep State" means that the communication of communication can associate a series of messages, so that the messages can be dependent on each other, such as one waiter can recognize the old customers who come again and remember the last time this customer still owe a piece of money. . This example has an "a TCP session" or "a pop3 session" 3.

In the era of a web server, Session in the Web development context has a new extension, and its meaning refers to a solution for a state of maintaining a state between the client and the server 4. Sometimes Session is also used to refer to the storage structure of this solution, such as "save XXX in session" 5. Since various languages ​​for web development provide support for this solution to some extent, SESSION is also used to refer to solutions for this language in a certain degree of language. The javax.servlet.http.httpsession provided in Java is referred to as Session 6.

In view of this confusion, it is no longer changing. The application of the session in this article will also have different meaning according to the context, please pay attention to distinguish.

In this article, use the Chinese "browser session" to express the meaning 1, use the "session mechanism" to express the meaning 4, use the "session" expression meaning 5, express the meaning of the specific "httpsession" 6

Second, HTTP protocol and status keep

The HTTP protocol itself is stateless. This is to match the HTTP protocol, and the client only needs to download certain files to the server, whether it is the client or the server, there is no need to record each other's past behavior, every time The request is independent, like a customer and a vending machine or a common (non-member system) supermarket. However, smart (or greedy?) People quickly discovered that if you can provide some dynamic information generated on demand, it will make the web more useful, just like a TV with the cable TV. On the other hand, this demand is forcing HTML to gradually add a form, script, and DOM and other client behavior. On the other hand, the CGI specification appears in the server side to respond to the client's dynamic request, and the HTTP protocol as a transmission carrier also adds a file upload. Cookie These features. Where the cookie's role is to solve the efforts of the HTTP protocol stateless defects. As for later SESSION mechanisms, it is another solution that holds a state between the client and the server.

Let us use several examples to describe the differences and links between cookie and session mechanisms. The author used a coffee shop for a coffee shop to drink 5 cups of coffee for free, a discount of a cup of coffee, but a one-time consumption of 5 cups of coffee is minimal, then you need some way to record a certain number of customers. Imagine that there is no other solution that is not more than the following:

1. The store's clerk is very powerful. You can remember the amount of consumption of each customer. As long as the customer walks into the coffee shop, the clerk knows how to treat it. This approach is that the agreement itself supports state.

2. Send a card with a card, which records the number of consumption, which generally has a valid period. Each time consumption, if the customer presents this card, the consumption will be linked to the previous or subsequent consumption. This approach is to keep the state in the client.

3, send a member card, in addition to the information other than the card number, no record, each time consumption, if the customer presents the card, the clerk finds the record corresponding to this card, add some consumption information. Add some consumption information. . This approach is to keep the status at the server side.

Since the HTTP protocol is stateless, it does not wish to make it a state due to various considerations, and therefore, the following two programs become a reality choice. Specifically, the cookie mechanism uses a scheme that keeps a state in the client, and the Session mechanism is a scheme that holds a state in the server side. At the same time, we also see that the SESSION mechanism may need to be saved by means of a cookie mechanism because the scheme is required to hold a logo in the client, so the SESSION mechanism may need to achieve the purpose of saving the identity by means of a cookie mechanism, but in fact it has other options.

Third, understand the cookie mechanism

The basic principles of the cookie mechanism are as simple as the above example, but there are several problems need to be resolved: "Member Card" is distributed; "Member Card" content; and how customers use "membership card".

Orthodox cookie distribution is achieved by extending the HTTP protocol, the server adds a special instruction to the HTTP's response head to prompt the browser to generate the corresponding cookie in accordance with the instructions. However, pure client scripts can also generate cookies such as JavaScript or VBScript.

The use of cookie is automatically sent to the server in the background by a certain principle of a browser. The browser checks all stored cookies, if a cookie declares declares that the range is greater than or equal to the location where the resource to be requested, the cookie is sent to the server on the HTTP request header of the request resource. It means that McDonald's membership card can only show in McDonald's store. If a branch has released his membership card, then in addition to this store, in addition to showing McDonald's membership card, but also show members of this store. card.

The content of cookie mainly includes: name, value, expiration time, path, and domain.

The domain can specify a certain domain such as .google.com, which is equivalent to the store signboard, such as P & G, or specify a specific machine under a domain such as www.google.com or froogle.google.com, you can use floating Mercury. The path is to follow the URL path behind the domain name, such as / or / foo, etc., you can use a gentle counter.

The path to the domain constitutes the scope of the cookie.

If the expiration time is not set, the life period of this cookie is the browser session, as long as the browser window is turned off, cookies disappeared. This life period is called a session cookie for the browser session. Session cookie generally does not store on the hard disk but is saved in memory, of course, this behavior is not specified. If expiration time is set, the browser saves the cookie to the hard disk. After turning off, open the browser again, which is still valid until the setting expiration time is exceeded.

Cookies stored on the hard disk can be shared between different browser processes, such as two IE windows. For cookies saved in memory, different browsers have different ways of processing. For IE, press CTRL-N (or from the File Menu) on an open window to share with the original window, and the newly opened IE process in other ways cannot share the memory cookie of the opened window; for Mozilla Firefox0.8, all processes and tabs can share the same cookie. Generally, the window opened with JavaScript's Window.Open will share memory cookies with the original window. The browser is often bothered with a WEB application developer using the session mechanism for session cookie.

Below is an example of a GoolGe setting cookie's response header

HTTP / 1.1 302 Found

Location: http://www.google.com/intl/en-cn/

Set-cookie: pref = id = 0565f77e132de138: NW = 1: Tm = 1098082649: lm = 1098082649: s = kaeacfpo49RIA_D8; Expires = Sun, 17-JAN-2038 19:14:07 gmt; path = /; domain = .google .com

Content-Type: Text / HTML

This is part of the HTTP communication record that uses HTTPLOOK this HTTP Sniffer software to capture.

The browser automatically sends a cookie externally when accessing the resources of GoLge again.

Use Firefox to easily observe the value of existing cookies

Using httplooks with Firefox can easily understand the working principle of cookies.

IE can also be set in front of accepting cookie

This is a dialog box that accepts the cookie.

Fourth, understand the session mechanism

The Session mechanism is a server-side mechanism that uses a structure similar to the hash table (or use hash tables) to save information.

When the program needs to create a session for a client request, the server first checks if the request has a session ID - called the session ID, if a session ID already contains, indicating that the client has been previously used Created SESSION, the server follows the session ID to retrieve this session (if the retrieval may be created), if the client request does not include the session ID, create a session for this client and generate a session The value associated with the associated session ID should be a string that is neither repeated, not easy to find the law to be patterned, this session ID will be returned to the client in this response. Save this session ID can use cookies so that the browser can automatically play this identity to the server automatically in the interaction process. Generally, this cookie name is similar to seeesionID, and. For example, WebLogic generated for web applications, jsessionid = BYOK3VJFD75APNRF7C2HMDNV6QZCEBZWOWIBYENLERJQ99ZWPBNG! -145788764, its name is JSessionID.

Since cookie can be prohibited, there must be other mechanisms to pass the session ID back to the server when cookie is disabled. A technique that is often used is called URL rewriting, which is to attach the session ID directly behind the URL path, and there are two additional modes. One is an additional information as a URL path, and the expression is http: // ... ../xxx;jsessionID = BYOK3VJFD75APNRF7C2HMDNV6QZCEBZWOWIBYENLERJQ99ZWPBNG! -145788764

The other is that the query string is attached to the URL, the expression is http: //.../xxx? JsessionID = BYOK3VJFD75APNRF7C2HMDNV6QZCEBZWOWIBYENLERJQ99ZWPBNG! -145788764

These two ways are different for the user, but the server is different in the way in parsing, and the first way is also facilitated to distinguish the information of the session ID and the normal program parameters.

In order to always keep the state throughout the interaction, this session ID must be included in the path where each client may request.

Another technology is called a form hidden field. It is the server automatically modifies the form, add a hidden field to pass the session ID back to the server when you submit. Such as the form below

Before passing to the client, will be rewritten

This technology is now less applicable, and this technique is used by the old IPlanet6 (the former body of the SunOnd application server).

In fact, this technique can be used to replace it with an Action application URL reserved. When talking about the session mechanism, it is often heard such a misunderstanding. "As long as the browser is turned off, the session disappears." In fact, you can imagine an example of a member card, unless the customer takes the initiative to sell the store, the store will definitely not easily delete the customer's information. The same is true for Session unless the program notifies the server to delete a session, or the server will always reserve, and the program generally send an instruction to delete the session when the user is log off. However, the browser never actively inform the server before it will be turned off, so the server will not have the opportunity to know that the browser has been closed, and there will be this illusion, which is most session mechanism to use session cookies to save the session ID. , After closing the browser, this session ID disappears, and then connect the server again to find the original session. If the cookie set by the server is saved onto the hard disk, or uses some means to overwrite the HTTP request header issued by the browser, send the original session ID to the server, then open the browser again can find the original session.

It is precisely because the Close the browser does not cause the session to be deleted, forcing the server to set a fail time for SEESION, when using the session from the client exceeds this failure time, the server can think that the client has stopped activities. The session will be deleted to save storage space.

5. Understand javax.servlet.http.httpsession

HttpSession is a Java platform implementation specification for the session mechanism because it is just an interface, and the provider of each web application server, in addition to the specification support, there will be no specification. Differences. Here we use the BEA's WebLogic Server8.1 as an example to demonstrate.

First, WebLogic Server provides a series of parameters to control its HttpSession implementation, including switch options using the cookie, using the URL rewritten switch option, session persistence settings, session failure time setting, and each for cookie Settings, such as setting cookies, path, domain, cookie's survival time, etc.

Under normal circumstances, the session is stored in memory. When the server process is stopped or rebooted, the session in memory will also be emptied. If the persistence characteristics of the session are set, the server will save the session to the hard disk. When the server process restarts or this information will be able to use again, WEBLOGIC SERVER supports persistence methods include files, databases, client cookies, and replicates.

The copy is strictly said that it is not allowed to save, because the session is actually saved in memory, but the same information is copied into the server process in each Cluster, so that even if a server process stops work, it is still from other processes. Get the session.

The setting of the cookie spending time will affect whether the browser generated cookie is a session cookie. By default, session cookies are used. Interested in use it to test the misunderstanding that we mentioned in Section 4.

Cookie's path is a very important option for web applications. WebLogic Server's default processing of this option makes it a significant difference from other servers. Behind we will discuss them.

About session settings [5] http://e-docs.bea.com/wls/docs70/webapp/weblogic_xml.html# 1036869

6. HTTPSESSION FAQ

(The meaning of the session in this section is 5 and 6 mixed) 1, when the session is created

A common misunderstanding is to create when the session is accessible in the client, but the fact is that it is created until a SERVER-side program call httpservletRequest.getSession (TRUE) is created, note if the JSP is not displayed <% @ Page session = "false"%> Close the session, the JSP file will automatically add such a statement httpsession session = httpservletRequest.getations (TRUE) when compiling into servlets; this is also the origin of the SESSION object implied in the JSP.

Since session will consume memory resources, if you don't plan to use Session, you should close it in all JSPs.

2, when SESSION is deleted

The previous discussion, Session is deleted in the following cases, the program call httpsession.invalidate (); or b. The session ID time interval transmitted by the client exceeds the session timeout setting; or c. Server process Stop (non-lasting session)

3, how to delete the session when the browser is closed

Strictly speaking, don't do this. It can be done a little effort to use JavaScript code Window.Oncolose to monitor the closing action of the browser in all client pages, then send a request to the server to delete the session. But these unconventional means for browser crashes or forced killing processes.

4, there is a httpsessionListener what is going on

You can create such Listener to monitor the creation and destruction event of the Session so that you can do some work when you have such an event. Note that the session creation and destruction movements trigger Listener, not the opposite. Similar to HttpSession relating to Listener also has HttpSessionBindingListener, HttpSessionActiVationListener and HttpSessionAttributeListener.

5. Is the object stored in the session must be serialized?

not necessary. Required objects can serialize just for the session to be copied or can be saved in the cluster or when the Server can temporarily exchange the SESSION. Place an insequential object in the session of WebLogic Server receives a warning on the console. An IPlanet version I have ever used If there is an indemnure-seminated object in the session, there will be an Exception when SESSION is destroyed, which is very strange.

6, how to correctly deal with the possibility of cookie

Use URL override, including hyperlinks, form's action, and redirected URLs, specific practices [6]

http://e-docs.bea.com/wls/docs70/webapp/sessions.html#100770

7, open two browser window accessing the application will use the same session or different session

See the third section on the discussion of cookie, for the session is just ID unrecognizable, so different browsers, different window open methods, and different cookie storage methods have an impact on this question.

8, how to prevent users from opening the session confusion caused by the two browser window operations

This issue is similar to the prevention form multiple submission, which can be solved by setting the client's token. That is to return to the client each time you generate a different ID, save this ID back to the server when you save the form, and the program is first compared to the value of the ID and the value saved in the session. If it is inconsistent, this operation has been submitted. You can see the "J2EE core mode" about the part of the representation layer mode. It should be noted that this ID is not set to use JavaScript window.open, or use a separate ID to use a separate ID, it is not possible to make a modification operation in Window.open, so you can No setup. 9. Why change the value of the session in WebLogic Server to recall once session.setValue

Do this action is mainly to change the value in the weblogic server session in the cluster environment, you need to copy new session values ​​to other server processes.

10, why sessions are gone

Excluding the normal failure of the session, the possibility of the server itself should be minimal, although the author has encountered the Solaris version of IPlanaT6SP1 plus a number of patchs; the possibility of the browser plugin, the author also encountered Problems caused by 3721 plugins; theoretically firewall or proxy server may have problems on cookie processing.

Most of the causes of this problem is the error of the program. The most common is to access another application in an application. We discussed this issue in the next section.

7. SESSION sharing of cross-adapter programs

There is often such a situation, a big project is divided into several small project development, in order to be able to interfere with each other, each small project is required to develop as a separate web application, but at the end, suddenly found a few small items. Share some information, or want to use session to implement SSO (Single Sign On), saving Login user information in the session, the most natural requirement is the application between the applications to access each other's session.

However, according to the servlet specification, the SESSION's scope of action should be limited to the current application, and between different applications are unable to access each other's session. Each application server complies with this specification from the actual effect, but the details of the implementation may vary, so the method of solving the use of the SESSION share is also different.

Let's take a look at how Tomcat is isolated from the session between the web application. From the Cookie path set by Tomcat, it is different for different application settings, such a session ID used in such different applications. Different, even if different applications are accessed in the same browser window, the session ID sent to the server can also be different.

According to this feature, we can speculate that the memory structure in Tomcat is approximately as follows.

The IPlanet used by the author also uses the same way, and it is estimated that there will be no difference between SunOne and IPlanet. For such a server, the idea is simple, and it is not difficult to practice actually. Either all applications share a session ID or make the app to get the session ID of other applications.

There is a very simple way to implement a shared a session ID, which is set to / (actually there should be / NasApp, which is equivalent to the root) of each application's cookie path.

/ NasApp

Need not to note that the session of operation sharing should follow some programming agreements, such as the prefix of the application in front of the Session Attribute name, make SetAttribute ("Name", "NEO") into setAttribute ( "App1.name", "NEO") to prevent naming spaces from conflicting, resulting in cross-over.

There is no such convenient choice in Tomcat. On Tomcat Version 3, we can also have some means to share session. For Tomcats above version 4, the author has not found a simple approach. Can only be used by means of a third party, such as using files, databases, JMS, or client cookie, url parameters, or hidden fields.

Let's take a look at how WebLogic Server handles session.

From the screenshot screen, you can see that WebLogic Server sets the cookie's path to all applications, which means that you can share sessions in WebLogic Server. However, a small experiment can prove that even if the same application is used, each application can only access those properties they set. This shows that the memory structure of the session in WebLogic Server may be as follows.

For such a structure, the problem that SESSION sharing is solved on the session mechanism itself should be impossible. In addition to the means of third parties, such as using files, databases, JMS, or client cookie, url parameters, or hidden fields, there is a more convenient practice, that is, putting an application's session in servletContext, which is another An application can get a reference to the previous application from servletContext. The sample code is as follows,

Application A

Context.setttribute ("appa", session);

Application B

Contexta = context.getContext ("/ appa");

HTTPSESSION sessiona = (httpsession) Contexta.getaTribute ("appa");

It is worth noting that this usage is not portable because the application server can be secure for Context.getContext ("/ appa") according to ServletContext's Javadoc, and return null values. The above is passed in WebLogic Server 8.1.

So why WebLogic Server wants to set all the cookies paths to /? It turns out that for SSO, all applications that share this session can share authentication information. A simple experiment can prove this, modify the descriptor WebLogic.xml of the application that is first logged in, modify the cookie path to / APPA to access another application will re-empt, even in turn, first access the cookie path For /'s application, re-access this modified path, although no time to log in, the user information logged in will also be lost. Note that the way to do this experiment should use form, because the browser and web server have other processing methods for the Basic authentication method, and the passing of the second request is not implemented by session. For details, please refer to [7] Secion 14.8 Authorization, you can modify the attached sample programs to do these trials.

Eight, summary

转载请注明原文地址:https://www.9cbs.com/read-36744.html

New Post(0)