About Seeion articles
Liu Zhengji
ljj@mlc.edu.tw
I didn't adapt to the author, but I believe he will not mind.
Jia is a member of a website, he wants to log in to the website online, he hits his account password in login.jsp, after the authentication passes, the server throws it to list.jsp browsing the goods on the website, when he chooses After buying the goods to be booked, the server throws it to Buy.JSP to process the order. This person only hits the account password only in login.htm, and the server is confirmed by login.jsp confirming that the List.jsp and Buy.jsp users do not need to pay the account password, how to confirm now A or B? Or some people do not enter the website from login.jsp at all, and he will come in directly from list.jsp or buy.jsp, then don't avoid the check password check?
To solve this problem, there are many ways, you can use the HTML syntax , or with cookie, but the security of the above two methods is not enough, you should use session to solve this problem. Just a problem, if you look at the SESSION process, A. Through the login.jsp into the website, the server will give him a unique number to prove that he is A (just as if everyone has the ID card, and will not be heavy Covering), if it comes in, the server also gives him a unique number. This unique number is SessionID. This sessionID will be sent to the user's browser. When the user browses other pages, the browser will send this sessionID to the server, the server can be aligned with now B.
1. If you want to see what your sessionid is like, the syntax should write this
session.GetId ();
2. A or B enters the website, the server will allocate a session, everyone will not repeat, Jia is a member, enter the account password, successfully passed the verification, this server can make a mark on his session, indicating him Verified,
Session.setttribute ("Logok", "YES"
;
This means that the server puts a logok property in the session in A, and its value is "Yes". Of course, you can also make something, such as letting the account password entered.
Session.SetaTRibute ("UserID", "Account Entering"
;
Session.SetaTRibute ("Userpass", "password entered by A)
;
(Please note that these Attribute information is available in Server. If they are not sent to the user's browser, only SessionIDs are sent to the browser. So can guarantee that the relevant information is not stolen.)
After the verification, the server is handled to list.jsp. (response.sendredirect ("List.jsp"
B is not a member, when he entered from login.jsp, there is no way to verify, so he is guided back to login.jsp Re-enter the password (response.sendredirect ("login.jsp"
3. How to lead to list.jsp, list.jsp know how to verify, and how to prove that it is A? You can take the mark you have made on the session through the following method.
String logok = (string) session.getattribute ("Logok";
String userid = (string) session.getattribute ("UserID"
;
String Userpass = (string) session.getattribute ("Userpass"
;
Get the value of Logok through GetAttribute, check if the logok is equal to "Yes", know if this person passes verified, and also get the account number and password entered, you can go to the database compared to whether it is now this person.
(To pay attention to session.getattribute ("" "
In front, in this example, it is necessary to add (String), because the session is deposited in the session through SetAttribute, when taken, to clearly tell the java what object it is, so it is necessary to use (String ) Session.GetaTribute ("Logok"
. Similarly, if you save a resultset, you will use (ResultSet) session.getattribute ("...."
And this people, still don't die, login.jsp can't come, he still wants to hit the list.jsp, the same, the program finds whether there is logok in the session, it is not equal to "Yes" ", If not, I am sorry, I will pass it back to login.jsp.
Through sessions, you can do sharing of information between the same user on different web pages. Basically, Tomcat will create sessions for people coming in to every page. It is within 30 minutes. If more than 30 minutes, the user has no further web page, and its sessionID will invalid, of course, in Session. Dedicated attributes will also disappear. The user re-comes in, it is another session.
The following session method, you can take a look at:
Session.setttribute ("Attribute Name", attribute value) ---- Deposit data into session
Session.GetaTRibute ("Properties Name"
; ---- Summary from Session
Session.setMaxinactiveInterVal ("second number
; --- Set the effective implementation time of the session (unit: second)
Session.getMaxinActiveIveInterval (); ---- Get the effective implementation time of the session (unit: second)
Session.isnew (); ---- Judging this session is new, yes, back True, otherwise returning False
Session.INVALIDATE (); ---- Force session interrupt, often used in the user
Session.getCreatetime (); ---- get the time of the session established, its value is the value.
session.getlastaccessedTime (); ---- get the last access time of the session
Also, if some web pages, you will not need to establish session, how do you turn it off? Session = "false" should be set in Page
Example: <% @ Page ContentType = "text / html; charset = big5" session = "false"%> This page does not establish any session
