Conversational technology
1. A cookie is a text string handle sent to the client's browser and stored on the client's hard disk. It can be used to persist data between a certain WEB site session.
2. The session actually refers to the period of time from when the visitor arrives at a certain homepage to when he leaves. Session actually uses cookies for information processing. When the user first makes a request, the server creates a cookie on the user's browser. When the session ends, it actually means that the cookie has expired.
Note: The name of the cookie created for this user is aspsessionid. The sole purpose of this cookie is to provide different identity authentication for each user.
3. What cookie and session have in common is that both cookie and session are session methods used to track the identity of the browser user.
4. The difference between cookie and session is: cookie data is stored on the client side, and session data is stored on the server side.
Simply put, when you log in to a website,
· If the web server uses session, then all the data is stored on the server, the client will send the sessionid of the current session every time it requests the server, and the server will judge the corresponding user data flag according to the current sessionid to determine whether the user is Log in or have certain permissions. Because the data is stored on the server, you can't forge it, but if you can get the sessionid of a logged-in user, using a special browser to forge the user's request can also be successful. The sessionid is randomly assigned when the server and the client are connected. Generally speaking, there will be no duplication, but if there are a large number of concurrent requests, there is no possibility of duplication.
如果浏览器使用的是cookie,那么所有的数据都保存在浏览器端,比如你登录以后,服务器设置了cookie用户名,那么当你再次请求服务器的时候,浏览器会将用户名一块发送给服务器,这些变量有一定的特殊标记。服务器会解释为cookie变量,所以只要不关闭浏览器,那么cookie变量一直是有效的,所以能够保证长时间不掉线。如果你能够截获某个用户的 cookie变量,然后伪造一个数据包发送过去,那么服务器还是认为你是合法的。所以,使用 cookie被攻击的可能性比较大。如果设置了的有效时间,那么它会将 cookie保存在客户端的硬盘上,下次再访问该网站的时候,浏览器先检查有没有 cookie,如果有的话,就读取该 cookie,然后发送给服务器。如果你在机器上面保存了某个论坛 cookie,有效期是一年,如果有人入侵你的机器,将你的 cookie拷走,然后放在他的浏览器的目录下面,那么他登录该网站的时候就是用你的的身份登录的。所以 cookie是可以伪造的。当然,伪造的时候需要主意,直接copy cookie文件到 cookie目录,浏览器是不认的,他有一个index.dat文件,存储了 cookie文件的建立时间,以及是否有修改,所以你必须先要有该网站的 cookie文件,并且要从保证时间上骗过浏览器
5. Both can be used to store private things, and they also have a validity period. The difference is that the session is placed on the server. Whether the session expires depends on the setting of the service period. The cookie exists on the client side. Can it be set when the cookie is generated.
(1) The cookie data is stored on the client's browser, and the session data is on the server.
(2) The cookie is not very secure. Others can analyze the cookies stored locally and perform cookie deception. If security is the main concern, the session
(3) ) The session will be saved on the server for a certain period of time. When the number of visits increases, it will take up the performance of your server. If the main consideration is to reduce server performance, cookies should be used.
(4) The limit of a single cookie on the client is 3K, which means that the cookies stored on the client by a site cannot be 3K.
(5) So: store important information such as login information as SESSION; if other information needs to be kept, you can put it in COOKIE
cookie
Here we will explain several important properties:
maxAge: Indicates the validity period of this Cookie on the client, in seconds. The default value is -1, when the entire browser is closed, the cookie will be invalid; when the maxAge value is positive, that is, how many seconds of the cookie’s validity period is left; when the value is 0, the cookie will be invalid and the browser will delete it ;
path: indicates that this cookie is valid for the directories and subdirectories under the path. For example, if path is set to /rest, when the client initiates a /rest/aaaServlet request, it will carry this cookie; if you want this cookie to be owned by the site If the directory is valid, it can be set to /;
domain: indicates the domain name that can access this cookie. If it is not set, it will be set according to the current request url; when we manually set it, we can use "." to define a larger domain name access range for this cookie, such as setting domain ".Csdn.net", when you visit "https://lizishudd.blog.csdn.net/", you can also use the cookie under ".csdn.net" (of course, the path of the cookie is also required to satisfy Claim);
session
1. When was the session created
一个常见的误解是以为session在有客户端访问时就被创建,然而事实是直到某server端程序调用HttpServletRequest.getSession(true)这样的语句时才被创建,注意如果JSP没有显示的使用 <%@page session="false"%> 关闭session,则JSP文件在编译成Servlet时将会自动加上这样一条语句HttpSession session = HttpServletRequest.getSession(true);这也是JSP中隐含的session对象的来历。
由于session会消耗内存资源,因此,如果不打算使用session,应该在所有的JSP中关闭它。
2、session何时被删除
综合前面的讨论,session在下列情况下被删除a.程序调用HttpSession.invalidate();或b.距离上一次收到客户端发送的session id时间间隔超过了session的超时设置;或c.服务器进程被停止(非持久session)
3、如何做到在浏览器关闭时删除session
严格的讲,做不到这一点。可以做一点努力的办法是在所有的客户端页面里使用javascript代码window.oncolose来监视浏览器的关闭动作,然后向服务器发送一个请求来删除session。但是对于浏览器崩溃或者强行杀死进程这些非常规手段仍然无能为力。
4、有个HttpSessionListener是怎么回事
你可以创建这样的listener去监控session的创建和销毁事件,使得在发生这样的事件时你可以做一些相应的工作。注意是session的创建和销毁动作触发listener,而不是相反。类似的与HttpSession有关的listener还有HttpSessionBindingListener,HttpSessionActivationListener和HttpSessionAttributeListener。
5、存放在session中的对象必须是可序列化的吗
不是必需的。要求对象可序列化只是为了session能够在集群中被复制或者能够持久保存或者在必要时server能够暂时把session交换出内存。在Weblogic Server的session中放置一个不可序列化的对象在控制台上会收到一个警告。我所用过的某个iPlanet版本如果session中有不可序列化的对象,在session销毁时会有一个Exception,很奇怪。
6、如何才能正确的应付客户端禁止cookie的可能性
对所有的URL使用URL重写,包括超链接,form的action,和重定向的URL,具体做法参见[6]
http://e-docs.bea.com/wls/docs70/webapp/sessions.html#100770
7、开两个浏览器窗口访问应用程序会使用同一个session还是不同的session
参见第三小节对cookie的讨论,对session来说是只认id不认人,因此不同的浏览器,不同的窗口打开方式以及不同的cookie存储方式都会对这个问题的答案有影响。
8、如何防止用户打开两个浏览器窗口操作导致的session混乱
这个问题与防止表单多次提交是类似的,可以通过设置客户端的令牌来解决。就是在服务器每次生成一个不同的id返回给客户端,同时保存在session里,客户端提交表单时必须把这个id也返回服务器,程序首先比较返回的id与保存在session里的值是否一致,如果不一致则说明本次操作已经被提交过了。可以参看《J2EE核心模式》关于表示层模式的部分。需要注意的是对于使用javascript window.open打开的窗口,一般不设置这个id,或者使用单独的id,以防主窗口无法操作,建议不要再window.open打开的窗口里做修改操作,这样就可以不用设置。
9、为什么在Weblogic Server中改变session的值后要重新调用一次session.setValue
做这个动作主要是为了在集群环境中提示Weblogic Server session中的值发生了改变,需要向其他服务器进程复制新的session值。
10、为什么session不见了
排除session正常失效的因素之外,服务器本身的可能性应该是微乎其微的,虽然笔者在iPlanet6SP1加若干补丁的Solaris版本上倒也遇到过;浏览器插件的可能性次之,笔者也遇到过3721插件造成的问题;理论上防火墙或者代理服务器在cookie处理上也有可能会出现问题。
Most of the reasons for this problem are program errors, the most common is to access another application in one application. We discuss this issue in the next section.
Definition of domain objects
Objects that can transfer data in different Servlets are called domain objects.
Must have methods for domain objects
setAttribute(name,value); Method of storing data
getAttribute(name); Obtain the corresponding data value according to name
removeAttribute(name); Delete data
Four types of domain objects and their scope of use
page (jsp valid) -> page domain refers to pageContext. (It is basically not used in the front-end and back-end separation mode, so this article will not talk about it)
request (one request) -> request domain refers to HttpServletContext (need to master)
session( One session) -> session domain refers to HttpSession
application (current web application) -> application domain refers to application ServletContext; the
reason they are domain objects is that they all have built-in map collections, and both have setAttribute and getAttribute methods.
Request domain
Data transfer of the Request domain object The
request object provides a getRequestDispatcher method, which returns a RequestDispatcher object. Calling the forward method of this object can realize the request forwarding, thereby sharing the data in the request.
The life cycle of
Request creates a request object
when a request comes. When the request ends, the request is destroyed.
Each request is a new request object.
The request domain object is a recommended and frequently used domain object, because its life cycle is relatively short, which means that it is more efficient and releases resources in a timely manner.
Session domain object
Session life cycle
When the request.getSession() method is called for the first time , the server will check whether there is a corresponding session, if not, it will create a session in memory and return.
(1) When the session is not used for a period of time (the default is 30 minutes ), the server will destroy the session.
(2) If the server shuts down abnormally, the unexpired sessions will also be destroyed.
(3) If the invalidate() provided by the session is called, the session can be destroyed immediately.
The user opens the browser to access, creates a session (start), the session times out or is declared invalid, the life cycle of the object ends;
The scope of the Session: One session, multiple requests for
HttpSession In the server, create a unique memory space for the browser, and save session-related information in it.
Note: The server is normally shut down and restarted, and the Session object will be passivated and activated. . At the same time, if the server passivation time is within the session's default destruction time, the session will still exist after activation. Otherwise, the Session does not exist. If the JavaBean data does not implement Serializable when the session is passivated, it will disappear when the session is activated.
Different request requests on the same server will get the unique session
Session generation timing: when the request object calls the getSession method, the server will generate a unique ID for the Session object.
When the server responds to the client request, it will set the Set-Cookie attribute in the header of the message. There is a JSESSIONID in the attribute content that is the identifier of the Session object, which will be processed by the browser after returning. When the client sends a request again, the browser will automatically append the Cookie attribute to the message header, which will pass the JSESSIONID to the server. When request.getSession is used on the server side, the object corresponding to the SessionId will be obtained without regenerating the Session.
HttpSessionListener, a powerful tool for monitoring Sessions,
Session creation events occur every time a new session is created, similarly Session invalidation events occur every time a Session fails. When any Session is created or destroyed, the SessionCounter class will be notified. For example, in the scenario of counting the number of people online on a website, you can use HttpSessionListenner to monitor.
When a
Session creates a Session, it does not create a session object as soon as the web page is opened. For the Servlet request, the session will only be generated when the following code is called inside the Servlet
HttpSession session = request.getSession();
// or
HttpSession session = request.getSession(true);
If written as follows, no session will be created
HttpSession session = request.getSession(false);
Join us to visit the JSP page, because the Jsp page has a built-in session object, which encapsulates the code that calls the session, then the session will be created when the JSP page is opened
ServletContext domain object
The life cycle of the ServletContext is
created with the creation of the WEB application, and destroyed when the WEB application is closed.
Scope of the
whole WEB application
Role
1. Adjust between different servlets.
this.getServletContext().getRequestDispatcher("/servlet1").forward(request,response);
Read the file
1. The root directory of the web application
InputStream stream = this.getServletContext().getResourceAsStream("conf.properties");
Properties properties = new Properties();
properties.load(stream);
String name = properties.getProperty("name");
String password = properties.getProperty("password");
2. Below Src
InputStream stream = MyServlet.class.getClassLoader().getResourceAsStream("conf.properties")
3. Below a package under Src, then
InputStream stream = MyServlet.class.getClassLoader().getResourceAsStream("com/haoeasy/conf.properties")
4. Get the absolute path
MyServlet.class.getClassLoader().getResourceAsStream("com/haoeasy/conf.properties").getPath()