Disclaimer: The materials used in this column are written by VIP students of Kaige Academy. Students have the right to remain anonymous and have the right to final interpretation of the article. Kaige Academy aims to promote VIP students to learn from each other based on public notes.
Session Introduction
Session is called "session control" in computers, especially in network applications. The Session object stores the properties and configuration information required for a specific user session. In this way, variables stored in the Session object will not be lost when the user jumps between Web pages in the application, but will persist throughout the user's session. When a user requests a Web page from an application, the Web server automatically creates a Session object if the user does not already have a session. When the session expires or is abandoned, the server will terminate the session. One of the most common uses of the Session object is to store user preferences. For example, if the user indicates that they do not like viewing graphics, this information can be stored in the Session object.
In fact, Session and cookie are similar technologies for maintaining the session state of the client and service, but the security of Session is higher than that of cookie. This is because the data of Session is stored on the server, so the server will be increased accordingly. Therefore, Session is used to store some relatively private data, such as username and password and user information.
The difference between session and cookie
The biggest difference between cookies and sessions is that one stores data on the client and the other stores data on the server. A cookie stores information in the client's browser memory or disk, so it is not very secure. Others can analyze the cookie data stored locally to dàoqiè user information or conduct cookie deception.
Therefore, the session is better in terms of security. The general implementation form of session communication is through cookies. Different from cookies, sessions only save a sessionID on the client side, and do not save specific data on the client side like cookies. , the specific data of the session will only be stored on the server side. In the Servlet, the session data is encapsulated in an object, and this object will be stored in the object pool. When the client makes a request, it will bring its sessionID. The client will obtain the corresponding session object from the object pool according to the sessionID, and obtain the specific data of the session from the object. The server uses this session data to maintain or change the state of the session with the client.
Session mechanism
The above also introduced that Session has two main things, one is the SessionID, and the other is the Session object stored in the server-side object pool. When the client accesses the server, it will first determine whether the client's request data contains the SessionID. If not, it will be considered that the client is accessing for the first time. Because it is the first visit, the server will create a Session object in the object pool for the client (assuming that the session needs to be maintained), and generate the SessionID of this object, and then respond to the client with the SessionID through a cookie , and put the Session object back into the object pool. After the client receives the response data, it will store the SessionID locally. The next time it visits the server, it will bring the SessionID, and the server can obtain the corresponding Session object through the SessionID. Session maintains the session state through such a mechanism. of.
Schematic:
How to get the Session object
In the code, the Session object is obtained through the getSession method in the request. This method can pass a Boolean type parameter. If not passed, the default is true.
When the parameter value is true, it will first ask the client if it has passed the SessionID, and if not, it will recreate a session object. If there is a SessionID, go to the pool to grab the session object. If there is no session object in the object pool, the session object will be recreated.
Code example:
In the browser, you can see that the generated SessionID is saved in Cookies:
The Session ID generated by Java code is generally JSESSIONID, and the value of this JSESSIONID is unique.
When the parameter value is false, if the client has a SessionID, it will directly grab the session object from the pool. If it is not caught, it will return null. If there is no SessionID, it will also return null.
Code example:
When I close the browser and open it again, the SessionID will be cleared. At this time, the session object will not be created when I visit again:
It can be seen that there is no SessionID in Cookies, which is the role of the true and false parameters.
mind Mapping:
Session timeout configuration and name configuration (configured in web.xml)
The expiration time of the session can be set through web.xml. When the session reaches the expiration time, it will be destroyed. And the name of session in browser cookies can also be customized in web.xml, the configuration syntax is as follows:
operation result:
Methods in the HttpSession interface
The Session object is of the HttpSession interface type, so you can call the methods in HttpSession. There are several main methods:
getAttribute(String) Get the value of the key
getAttributeNames() Get the key stored in it (key)
removeAttribute(String) Press key Delete the data
setAttribute(String, Object) Store the key and value, if the value already exists, it will overwrite the value
invalidate() Destroy the session object
isNew() Determine whether it is a newly created session object
getCreationTime() Get the creation time of the session object, return is the time in long integer format
getId() gets the sessionID
getLastAccessedTime() gets the last access time of the session
Code example:
operation result:
How to register Session in disk after shutting down Tomcat
Close tomcat normally, it will store the data in the session to the disk, and the data will be restored the next time you start tomcat:
code:
After accessing, shut down Tomcat normally, the session data will be saved in the disk, and it will be read out the next time it is started:
This save path is found in the log information printed on the console.
If you save a custom object in the session data, you need to implement the serialization interface for this object before saving, otherwise it cannot be written to disk:
Serialization is the process of converting the state information of an object into a form that can be stored or transmitted, which means that object data needs to be serialized before it can be stored on disk, otherwise it cannot be stored.
Save the object to session data:
In this way, the session containing the object data can be saved to the disk normally.
Login example
Use the above knowledge points to make a small example of login, so that the client can keep the login state through the session. For simplicity, it does not involve connecting to the database:
Html code:
Servlet code for processing login business:
Servlet code for successful login:
Servlet code to log out:
operation result:
Generally, only the page that needs to store the session uses the getSession() method to create the session object, and other pages call the getSession(flase) method.