HttpSession object
The HttpSession object is an instance of javax.servlet.http.HttpSession. This interface does not have a parent interface like HttpServletRequest or HttpServletResponse. This interface is just a pure interface. This is because the session itself belongs to the scope of the HTTP protocol.
For the server, every client connected to it is a session , that is, every browser connected to the server, the servlet container uses this interface to create a session between the HTTP client and the HTTP server. The session will remain for a specified period of time, spanning multiple connections or page requests from users. A session corresponds to a user, and the user may visit a site multiple times. You can view and manipulate information about a session through this interface, such as the session identifier, creation time, and last access time. In the entire session, the most important thing is the operation of attributes.
Both the client and the server can perceive the session. If a new browser is reopened, the previously set session cannot be obtained, because each session is only saved in the current browser and obtained on the relevant page.
The function of the session is to represent a session, or to confirm a user; and to share data during a session (multiple requests from a user). We can get the session object of the current session through the request.getSession() method.
Obtaining the Session object
Session is obtained through the request object.
When the Session object is obtained, it will first determine whether the Session exists. If it exists, it will get the Session object. If it does not exist, it will create the Session object.
//获取session对象
HttpSession session = req.getSession();
Common methods:
//获取session的唯一会话标识符
String id = session.getId();
//获取session的创建时间
System.out.println(session.getCreationTime());
//获取session最后一次访问时间
System.out.println(session.getLastAccessedTime());
//判断是否是新的session对象
System.out.println(session.isNew());
Identifier JSESSIONID
A session has a unique identifier. This symbol is sessionId.
Whenever a request arrives at the server, if a session is opened (session is accessed), the server will first check whether a cookie named JSESSIONID is returned from the client. If not, it will be considered as a new session, a new Session object will be created, and a unique ID will be used to mark the session.
If there is a return of JESSIONID, the server will check whether there is a session object whose id is the value of JSESSION according to JESSIONID. If not, it will be considered as a new session, a new session object will be created, and the session will be identified (this For example, if the server restarts, there are no such objects in the server, and the corresponding session object cannot be found when the ID is passed.
If there is, the session object is returned, and the data is shared.
Entitled JSESSIONID is a rather special cookie, when the user requests the server, if access to the session, the server creates a named JSESSIONID , the session is acquired (either acquired or newly created) the sessionid The cookie object is added to the response object, and the response is sent to the client. The effective time is to close the browser.
So the bottom layer of Session depends on cookie implementation.
Session domain
The Session object is stored in the server memory, so it can be used for data sharing between multiple requests, while the request domain object can only take effect in one request, which has a higher scope than the request domain object session.
Destruction of the Session object
When the client requests the servlet for the first time and operates the session, the Session object is created and generated. The default survival time of the Session in Tomcat is 30 minutes. If the session is not operated during this period, it will be automatically destroyed. If there is an operation, the session will be timed again. .
The default valid time of the session can be modified in the web.xml file under the conf directory in Tomcat.
<!-- session默认的最大不活动时间。单位:分钟-->
<session-config>
<session-timeout>30</session-timeout>
</session-config>
In addition to the above modification methods, we can also set the life cycle of the session in the program, through session.setMaxInactiveInterval(int) to set the maximum inactivity expiration time of the session, in seconds.
//获取session对象
HttpSession session = req.getSession();
//设置session最大不活动时间,单位为秒
session.setMaxInactiveInterval(15);//15秒
The third type: immediate destruction (most
used ) can be used for things like logout and login
//立即销毁 可以通过 session.invalidate() 方法让 session 立即失效
session.invalidate();
Fourth: Close the browser
Because the bottom layer of the session relies on cookie implementation, and the effective time of cookie is to close the browser. So the session is equivalent to invalid when the browser is closed.
Fifth: Shut down the server
When the server is closed, the session is destroyed.
Session failure means the end of the session and the end of data sharing