Abstract: Although the session mechanism has been used for a long time in web applications, there are still many people unclear the essence of the session mechanism, so that this technology cannot be applied. This article will discuss the work mechanism of session in detail and give a solution for problems such as the application of the session mechanism in Java Web Application.
table of Contents:
First, the term session
Second, HTTP protocol and status keep
Third, understand the cookie mechanism
Fourth, understand the session mechanism
5. Understand javax.servlet.http.httpsession
6. HTTPSESSION FAQ
7. SESSION sharing of cross-adapter programs
Eight, summary
Reference documentation
First, the term session
In my experience, the word SESSION is probably only second only to Transaction, and more interesting is the meaning of Transaction and Session in certain contexts.
Session, Chinese often translates as a session, which means that there is a series of operations / messages that have ended events, such as picking up a phone, dialing to hang up the phone, can be called a session. Sometimes we can see that "during a browser session, ...", the term "session here is why, refers to the opening of this period from a browser window. The most confusing "user (client) is in a session", which may refer to a series of actions of the user (in general, a series of actions related to a specific purpose, such as logging in to purchase goods The process of checking out such an online shopping will sometimes be referred to as a transaction, but sometimes it is also just a connection, or it may refer to the meaning of 1, where the difference can only be inferred 2.
However, when the session is associated with the network protocol, it often implies two meanings such as "connection" and / or "keep state", "connection" refers to the establishment before communication between communication. A communication channel, such as calling until the other party picks up the phone communication, and this is written, when you go out, you can't confirm that the other party's address is correct, communication channels are not necessarily established But for the sender, communication has begun. "Keep State" means that the communication of communication can associate a series of messages, so that the messages can be dependent on each other, such as one waiter can recognize the old customers who come again and remember the last time this customer still owe a piece of money. . This example has an "a TCP session" or "a pop3 session" 3.
In the era of a web server, Session in the Web development context has a new extension, and its meaning refers to a solution for a state of maintaining a state between the client and the server 4. Sometimes Session is also used to refer to the storage structure of this solution, such as "save XXX in session" 5. Since various languages for web development provide support for this solution to some extent, SESSION is also used to refer to solutions for this language in a certain degree of language. The javax.servlet.http.httpsession provided in Java is referred to as Session 6.
In view of this confusion, it is no longer changing. The application of the session in this article will also have different meaning according to the context, please pay attention to distinguish.
In this article, use the Chinese "browser session" to express the meaning 1, use the "session mechanism" to express the meaning 4, use the "session" expression meaning 5, express the meaning of the specific "httpsession" 6
Second, HTTP protocol and status keep
The HTTP protocol itself is stateless. This is to match the HTTP protocol, and the client only needs to download certain files to the server, whether it is the client or the server, there is no need to record each other's past behavior, every time The request is independent, like a customer and a vending machine or a common (non-member system) supermarket. However, smart (or greedy?) People quickly discovered that if you can provide some dynamic information generated on demand, it will make the web more useful, just like a TV with the cable TV. On the other hand, this demand is forcing HTML to gradually add a form, script, and DOM and other client behavior. On the other hand, the CGI specification appears in the server side to respond to the client's dynamic request, and the HTTP protocol as a transmission carrier also adds a file upload. Cookie These features. Where the cookie's role is to solve the efforts of the HTTP protocol stateless defects. As for later SESSION mechanisms, it is another solution that holds a state between the client and the server.
Let us use several examples to describe the differences and links between cookie and session mechanisms. The author used a coffee shop for a coffee shop to drink 5 cups of coffee for free, a discount of a cup of coffee, but a one-time consumption of 5 cups of coffee is minimal, then you need some way to record a certain number of customers. Imagine that there is no other solution that is not more than the following:
1. The store's clerk is very powerful. You can remember the amount of consumption of each customer. As long as the customer walks into the coffee shop, the clerk knows how to treat it. This approach is that the agreement itself supports state.
2. Send a card with a card, which records the number of consumption, which generally has a valid period. Each time consumption, if the customer presents this card, the consumption will be linked to the previous or subsequent consumption. This approach is to keep the state in the client.
3, send a member card, in addition to the information other than the card number, no record, each time consumption, if the customer presents the card, the clerk finds the record corresponding to this card, add some consumption information. Add some consumption information. . This approach is to keep the status at the server side.
Since the HTTP protocol is stateless, it does not wish to make it a state due to various considerations, and therefore, the following two programs become a reality choice. Specifically, the cookie mechanism uses a scheme that keeps a state in the client, and the Session mechanism is a scheme that holds a state in the server side. At the same time, we also see that the SESSION mechanism may need to be saved by means of a cookie mechanism because the scheme is required to hold a logo in the client, so the SESSION mechanism may need to achieve the purpose of saving the identity by means of a cookie mechanism, but in fact it has other options.
Third, understand the cookie mechanism
The basic principles of the cookie mechanism are as simple as the above example, but there are several problems need to be resolved: "Member Card" is distributed; "Member Card" content; and how customers use "membership card".
Orthodox cookie distribution is achieved by extending the HTTP protocol, the server adds a special instruction to the HTTP's response head to prompt the browser to generate the corresponding cookie in accordance with the instructions. However, pure client scripts can also generate cookies such as JavaScript or VBScript.
The use of cookie is automatically sent to the server in the background by a certain principle of a browser. The browser checks all stored cookies, if a cookie declares declares that the range is greater than or equal to the location where the resource to be requested, the cookie is sent to the server on the HTTP request header of the request resource. It means that McDonald's membership card can only show in McDonald's store. If a branch has released his membership card, then in addition to this store, in addition to showing McDonald's membership card, but also show members of this store. card.
The content of cookie mainly includes: name, value, expiration time, path, and domain.
The domain can specify a certain domain such as .google.com, which is equivalent to the store signboard, such as P & G, or specify a specific machine under a domain such as www.google.com or froogle.google.com, you can use floating Mercury. The path is to follow the URL path behind the domain name, such as / or / foo, etc., you can use a gentle counter.
The path to the domain constitutes the scope of the cookie.
If the expiration time is not set, the life period of this cookie is the browser session, as long as the browser window is turned off, cookies disappeared. This life period is called a session cookie for the browser session. Session cookie generally does not store on the hard disk but is saved in memory, of course, this behavior is not specified. If expiration time is set, the browser saves the cookie to the hard disk. After turning off, open the browser again, which is still valid until the setting expiration time is exceeded.
Cookies stored on the hard disk can be shared between different browser processes, such as two IE windows. For cookies saved in memory, different browsers have different ways of processing. For IE, press CTRL-N (or from the File Menu) on an open window to share with the original window, and the newly opened IE process in other ways cannot share the memory cookie of the opened window; for Mozilla Firefox0.8, all processes and tabs can share the same cookie. Generally, the window opened with JavaScript's Window.Open will share memory cookies with the original window. The browser is often bothered with a WEB application developer using the session mechanism for session cookie.
Below is an example of a GoolGe setting cookie's response header
HTTP / 1.1 302 Found
Location: http://www.google.com/intl/en-cn/
Set-cookie: pref = id = 0565f77e132de138: NW = 1: Tm = 1098082649: lm = 1098082649: s = kaeacfpo49RIA_D8; Expires = Sun, 17-JAN-2038 19:14:07 gmt; path = /; domain = .google .com
Content-Type: Text / HTML
This is part of the HTTP communication record that uses HTTPLOOK this HTTP Sniffer software to capture.
The browser automatically sends a cookie externally when accessing the resources of GoLge again.
Use Firefox to easily observe the value of existing cookies
Using httplooks with Firefox can easily understand the working principle of cookies.
IE can also be set in front of accepting cookie
This is a dialog box that accepts the cookie.
Fourth, understand the session mechanism
The Session mechanism is a server-side mechanism that uses a structure similar to the hash table (or use hash tables) to save information.
When the program needs to create a session for a client request, the server first checks if the request has a session ID - called the session ID, if a session ID already contains, indicating that the client has been previously used Created SESSION, the server follows the session ID to retrieve this session (if the retrieval may be created), if the client request does not include the session ID, create a session for this client and generate a session The value associated with the associated session ID should be a string that is neither repeated, not easy to find the law to be patterned, this session ID will be returned to the client in this response. Save this session ID can use cookies so that the browser can automatically play this identity to the server automatically in the interaction process. Generally, this cookie name is similar to seeesionID, and. For example, WebLogic generated for web applications, jsessionid = BYOK3VJFD75APNRF7C2HMDNV6QZCEBZWOWIBYENLERJQ99ZWPBNG! -145788764, its name is JSessionID.
Since cookie can be prohibited, there must be other mechanisms to pass the session ID back to the server when cookie is disabled. A technique that is often used is called URL rewriting, which is to attach the session ID directly behind the URL path, and there are two additional modes. One is an additional information as a URL path, and the expression is http: // ... ../xxx;jsessionID = BYOK3VJFD75APNRF7C2HMDNV6QZCEBZWOWIBYENLERJQ99ZWPBNG! -145788764
The other is that the query string is attached to the URL, the expression is http: //.../xxx? JsessionID = BYOK3VJFD75APNRF7C2HMDNV6QZCEBZWOWIBYENLERJQ99ZWPBNG! -145788764
These two ways are different for the user, but the server is different in the way in parsing, and the first way is also facilitated to distinguish the information of the session ID and the normal program parameters.
In order to always keep the state throughout the interaction, this session ID must be included in the path where each client may request.
Another technology is called a form hidden field. It is the server automatically modifies the form, add a hidden field to pass the session ID back to the server when you submit. Such as the form below