五、理解javax.servlet.http.Http Session
HttpSession is the Java platform's implementation specification for the session mechanism, because it is just an interface. As for the provider of each web application server, in addition to the scope support, there are still some subtle differences that are not specified in the specification. Here we take BEA's Weblogic Server8.1 as an example to demonstrate. ( WebLogic Server is one of the main products of the US business Oracle, obtained from the acquisition of BEA. It is one of the main Java (J2EE) application server software (application servers) in the commercial market , and has been launched to version 12cR2 (12.2.1.3) . )
First, Weblogic Server provides a series of parameters to control the implementation of its HttpSession, including switch options for using cookies, switch options for using URL rewriting, session persistence settings, session expiration time settings, and various options for cookies. Various settings, such as setting the cookie name, path, domain, cookie lifetime, etc.
In general, sessions are stored in memory, and when the server process is stopped or restarted, the memory
The session will also be cleared. If the session persistence feature is set, the server will save the session to the hard disk. When the server process is restarted, the information will be able to be used again. The persistence methods supported by Weblogic Server include: File, database, client-side cookie saving and copying.
The setting of the cookie lifetime will affect whether the cookie generated by the browser is a session cookie. The default is to use session cookies.
The cookie path is a very important option for web applications, and the default handling of this option by Weblogic Server makes it distinct from other servers.
Six, HttpSession common problems
1. When was the session created?
A common misconception is that the session is created when a client accesses it, but the fact is that it is not created until a server-side program calls a statement such as HttpServletRequest.getSession(true). Note that if the JSP does not explicitly use <%@ page session="false"%> to close the session, then the JSP file will be automatically added with such a statement HttpSession session = HttpServletRequest.getSession(true) when it is compiled into a servlet; this is also the origin of the implicit session object in JSP.
Since sessions consume memory resources, sessions should be turned off in all JSPs if they are not going to be used.
2. When is the session deleted?
Based on the previous discussion, a session is deleted in the following cases:
a. The program calls HttpSession.invalidate();
b. The time interval since the last time the session id sent by the client was received exceeds the session timeout setting
c. The server process is stopped (non-persistent session)
3. How to delete the session when the browser is closed
Strictly speaking, this cannot be done. A little effort is to use the javascript code window.oncolose in all client pages to monitor the browser close action, and then send a request to the server to delete the session. But there is still nothing that can be done about unconventional means such as browser crash or forcibly killing the process.
4. What's the matter with Http SessionListener
You can create such listeners to monitor session creation and destruction events, so that you can do some work when such events occur. Note that the creation and destruction of the session triggers the listener, not the other way around. Similar listeners related to HttpSession are HttpSessoinBindingListener, HttpSessionActivationListener and HttpSessionAttributeListener.
5. Does the object stored in the session have to be serializable?
not necessary. Object serialization is required only so that the session can be replicated across the cluster or persisted or the server can temporarily swap the session out of memory when necessary. Placing a non-serializable object in a Weblogic Server session will result in a warning on the console.
6. How to properly deal with the possibility of the client banning cookies
Use URL rewriting for all URLs, including hyperlinks, form actions, and redirect URLs.
7. Opening two browser windows to access the application will use the same session or different sessions
See the discussion on cookies in the third subsection of Preliminary Solution (2). For sessions, it only recognizes ids but not people. Therefore, different browsers, different window opening methods, and different cookie storage methods will solve this problem. Answers matter.
8. How to prevent session confusion caused by users opening two browser windows
This problem is similar to preventing multiple submissions of a form and can be solved by setting the client-side command. That is, each time the server generates a different id and returns it to the client, and saves it in the session. When the client submits the form, the id must also be returned to the server. The program first compares whether the returned id is consistent with the value stored in the session. If not, it means that this operation has been submitted. It should be noted that for the window opened by javascript window.open, this id is generally not set, or a separate id is used to prevent the main window from being inoperable. It is recommended not to modify the window opened by window.open, so that you can No need to set.
9. Why is session.setValue called again after changing the session value in Weblogic Server?
This action is mainly to prompt that the value in the Weblogic Server session has changed in the cluster environment, and the new session value needs to be copied to other server processes.
10. Why the session disappeared
In addition to the normal failure of the session, the possibility of the server itself should be minimal, the possibility of browser plug-ins, theoretically, the firewall or proxy server may also have problems in cookie processing
Most of the reasons for this problem are program errors, the most common is to access another application in one application.