In network applications, the Session object stores the attributes and configuration information required by a specific user’s Session to maintain and track the Session. This article will summarize the knowledge points related to Session in detail.
HTTP is a stateless protocol. Each request a user makes to the server through a browser is independent of each other. Therefore, the server cannot determine whether the last request user is the same as the current request user through HTTP requests. But every time a request must be passed back and forth the Cookie data, in order to realize more state tracking Cookie data will be more and more, which virtually increased pressure on the browser and server data transmission and complexity, the size of the Cookie is not only limited, and this way is not safe, easy to steal and tampered with, However, the advent of sessions solves these problems. Session is a session tracking technique stored on the server to record and maintain some state. When a user initiates a request through the browser, it does not need to send back all the Cookie values each time. Instead, it only needs to send back a key-value pair. In general, the key is JSESIONID and the value is the unique value generated when the client accesses the server for the first time. This value can identify and track user session information. This value is commonly referred to as the sessionId on the server.
How to Pass the sessionId The client can pass the key-value pair of the JSESSIONID to the server in the following three ways. 1. If the user’s browser does not support cookies or cookies are disabled, the browser will override the key-value pair in the requested URL parameter format, such as/XXX /path/abcAction. key=value? ParamName =paramValue, where key-value is the parameter to be passed. After the server receives the request, can from the URL to the key corresponding to the value, and set this value to the request, the specific code is request. SetRequestedSessionId.
2. If the browser supports cookies, the browser will set the key-value in the Request Headers when sending a Request. After receiving the Request, the server will fetch the value and override the value obtained from the URL.
3. Based on SSL, it is not supported by default and is supported only when connector. GetAttribute (“SSLEnabled”) is true.
In this case, the server creates an HttpSession object using the request.getSession() method and sets a validity period for it. This object is then stored in the Sessions container and the sessionId is returned to the browser. If the user makes a request again, the server will determine whether the HttpSession corresponding to the sessionId exists after parsing the sessionId. If not, it will create an HttpSession object and store this object in the Sessions container. The sessionId is returned to the browser; If so, you get the corresponding HttpSession object, which can store a lot of state or presentation data, such as session.setAttribute(), for session tracking.
Session objects have an expiration date. Generally, the application container will have a background thread that checks whether each session is invalid, and if it is, it will be cleared. It is worth noting that a call to Request.getSession () checks whether the corresponding session object is expired and creates a new session object if it is.
When the application container is restarted or shut down, unexpired session objects are persisted to a session. Ser file. When the application container is restarted, all unexpired session objects in SESSIONS. An application server stores a set of session data.