Session principles:
session can be placed on file, memory or database can be, is stored in the form of key-value pairs. Session is also a key-value of the property right.
When the program needs to create a session for the request of a client, the server first checks the client's request has been included a session identifier, called a session-id, if already contains a session id, then the previously do this the client creates too session, in accordance with the server session id retrieved using this session (if not retrieved, may be new one, according to the parameters getSeesion () method), if the client request does not contain a session id, then this customer create a session end and generates a session associated with this in connection session id, the session id is returned to the client stored in this response.
Session of client implementation form (that is, save the session id method)
General browser provides three ways to save:
[1] use Cookie to save. This is the most common method, "Record me logged in" to achieve function is based on this approach. The server sends to the browser by way of setting Cookie session id. If we do not set an expiration time, then the Cookie will not be stored on the hard disk, the time when the browser is closed, Cookie disappeared, the session id is lost. If we set this time, then the Cookie will be stored in the client hard drive, even if the browser is closed, the value is still there, the next time you visit the site, it will also be sent to the server.
[2] URL rewriting , the session id is directly appended to the URL path, that is, as we often see JSP site will aaa.jsp? JSESSIONID = * same.
[3] In the web form inside a hidden field increases , this way and the second way is actually the same, but the former send data via GET method, which send data using the POST method. But obviously the latter is too much trouble.
That is, the server will automatically modify the form, add a hidden field, while the session id can be passed back to the server when the form is submitted. such as:
1 <form name="testform" action="/xxx">
2 <input type="hidden" name="jsessionid"
3 value="ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBug!-145788764">
4 <input type="text">
5 </form>
When session is created?
A common mistake is to think that session is created when there is client access, but the fact is that a server will not be created until the end of the program (such as Servlet) call such a statement HttpServletRequest.getSession (true) time.
session when it was deleted?
session is deleted in the following cases:
A. invokes HttpSession.invalidate ()
B. On receipt from the last time the client sends a session id of the session interval exceeds the maximum effective time
C. server process is stopped
Note that the browser is closed again only make the session cookie stored in the client browser memory failure, not the failure of the server-side session object.
getSession()/getSession(true)、getSession(false)的区别
getSession () / getSession (true): Returns the session, when the session is present, or create a new session and return the object.
getSession (false): Returns the session, when the existence of the session, it would not create a new session, return null.
Cookie mechanisms:
Cookie categories:
1, in a way there is a permanent cookie file on your hard disk space. Persistent cookie is stored on the hard disk of the client cookie information (setting a certain expiration date), when a user visits a site, the browser will look for cookie associated with the site on the local hard disk. If the cookie exists, it will be the browser page request in order to send the HTTP header information to your site through, then the system is consistent ratio for each attribute and the value of the cookie and the information is stored on the server side. And to identify the user as a "first-time visitors" or "customers" according to the comparison result.
2, stay in the browser's temporary memory occupied by the cookie , is deleted from your computer when you close Internet Explorer.
Cookie valid:
Cookie的maxAge决定着Cookie的有效期,单位为秒。
如果maxAge属性为正数,则表示该Cookie会在maxAge秒之后自动失效。浏览器会将maxAge为正数的Cookie持久化,即写到对应的Cookie文件中。无论客户关闭了浏览器还是电脑,只要还在maxAge秒之前,登录网站时该Cookie仍然有效。下面代码中的Cookie信息将永远有效。
1 Cookie cookie = new Cookie("username","helloweenvsfei");//新建Cookie
2 cookie.setMaxAge(Integer.MAX_VALUE);//设置生命周期为MAX_VALUE
3 response.addCookie(cookie);//输出到客户端
如果maxAge为负数,则表示该Cookie仅在本浏览器窗口以及本窗口打开的子窗口内有效,关闭窗口后该Cookie即失效。maxAge为负数的Cookie,为临时性Cookie,Cookie信息保存在浏览器内存中,因此关闭浏览器该Cookie就消失了。Cookie默认的maxAge值为-1.
如果maxAge为0,则表示删除该Cookie。Cookie机制没有提供删除Cookie的方法,因此通过设置该Cookie即时失效实现删除Cookie的效果。失效的Cookie会被浏览器从Cookie文件或者内存中删除。
例如:
1 Cookie cookie = new Cookie("username","helloweenvsfei");//新建Cookie
2 cookie.setMaxAge(0);//设置生命周期为0,表示删除cookie
3 response.addCookie(cookie);//必须执行这一句
Cookie的组成部分
Cookie在HTTP的头部信息中。
标准格式:Set-Cookie:NAME=VALUE; Expires=DATE; Path=PATH; Domain=DOMAIN_NAME; SECURE;
举例说明:Set-Cookie:JSESSIONID=mysession; Expires=Thu; 05-Jun-20 08 05:02:50 GMT; Path=/web;
Cookie的Expires属性标识了Cookie的有效时间,当Cookie的有效时间过了之后,这些数据就被自动删除了。若不设置过期时间,则表示这个cookie的生命期为浏览器会话期间,关闭浏览器窗口,cookie就消失。这种生命周期为浏览器会话期的cookie被称为会话cookie(临时性cookie),会话cookie保存在内存里。若设置了过期时间,浏览器就会把cookie保存到硬盘上,关闭后再次打开浏览器,这些cookie仍然有效直到超过设定的过期时间。存储在硬盘上的cookie可以在不同的浏览器进程间共享,比如两个IE窗口。
Cookie被浏览器禁用怎么办?
cookie可以被人为地禁止,则必须有其他机制以便在cookie被禁止时仍然能够把session id传递会服务器。
【1】URL重写,就是把session id直接附加在URL路径的后面,也就是像我们经常看到JSP网站会有aaa.jsp?JSESSIONID=*一样的。
【2】在网页表单里面增加隐藏域,这种方式实际上和第二种方式一样,只不过前者通过GET方法发送数据,后者使用POST方式发送数据。但是明显后者比较麻烦。
就是服务器会自动修改表单,添加一个隐藏字段,一边在表单提交时能够把session id传递回服务器。比如:
1 <form name="testform" action="/xxx">
2 <input type="hidden" name="jsessionid"
3 value="ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBug!-145788764">
4 <input type="text">
5 </form>
Cookie 与 Session的区别
1、cookie数据存放在客户端,用来记录用户信息的,session数据放在服务器上。
2、正是由于Cookie存储在客户端中,对客户端是可见的,客户端的一些程序可能会窥探、复制甚至修改Cookie中的内容。而Session存储在服务器上,对客户端是透明的,不存在敏感信息泄露的危险。
如果选用Cookie,比较好的方法是,敏感的信息如账号密码等尽量不要写到Cookie中。最好是像Google、Baidu那样将Cookie信息加密,提交到服务器后再进行解密,保证Cookie中的信息只有自己能读得懂。而如果选择Session就省事多了,反正是放在服务器上,Session里任何隐私都可以。
3、Session是保存在服务器端的,每个用户都会产生一个Session。如果并发访问的用户非常多,会产生非常多的Session,消耗大量的服务器内存。因此像Google、Baidu这样并发访问量极高的网站,是不太可能使用Session来追踪客户会话的。
而Cookie保存在客户端,不占用服务器资源。如果并发浏览的用户非常多,Cookie是很好的选择。
4、cookie的容量和个数都有限制。单个cookie的容量不能超过4KB,很多浏览器都限制一个站点最多保存20个cookie,而session没有此问题。
5、所以建议:将登录信息等重要信息存放到SESSION中,其他信息如果需要保留,可以放在COOKIE中。
Session 和 Cache 的区别
Session是但用户的会话状态。当用户访问网站时,产生一个SESSIONID。并存在于COOKIES中。每次向服务器请求时,发送这个COOKIES,再从服务器中检索是否有这个SESSIONID保存的数据。而cache则是服务器端的缓存,是所有用户都可以访问和共享的。因为从Cache中读数据比较快,所以有些系统(网站)会把一些经常被使用的数据放到Cache中,提高访问速度,优化系统性能。
如果有几千个session,怎么提高效率?(当session访问量比较大的时候,怎么解决?)
把session放到redis或memcache等此类内存缓存中或把session存储到SSD硬盘上。