7. Session management techniques
7.1 Cookie details
- Cookie is an operation cookie object defined by sun company. The data size of cookie is theoretically 4kb.
- The maximum number of cookies that each browser can theoretically save does not exceed 200
- Each browser theoretically saves no more than 20 cookies for a specific site (website)
- Create Cookie object Cookie c = new Cookie(String key ,String value)
- The alias of the cookie object represented by key value represents the data saved by the cookie
- The value of key and value cannot be in Chinese
- cookie.setMaxAge() Set the time the cookie is saved in the browser, in seconds
- Set a negative number eg: -1 (tell the browser not to save the cookie),
- Set 0 (tell the browser to clear the cookie with the same key),
- Set a positive integer eg: specify the save time
- Cookie.Domain() sets the cookie to save across domains, but tomcat does not support it! ! Sharing cookies across domains
- Cookie.path() Set the path carried by the cookie. If not set, the default is the root path of the current site. If the root of the current site is used as the carrying path, all paths in the current site must carry the cookie
Note: After configuring cookies, remember to write back to the browser: HttpServletResponse.addCookie(cookie);
7.2 Detailed HttpSession
- Use HttpSession to record the user's state, the technical mechanism: use the cookie saved by the browser, the cookie records the user's state number (JSESSIONID) The value corresponding to JSESSIONID is globally unique (unique credential), and then the user carries the cookie when visiting the site, Then the server finds the corresponding HttpSession object by getting the unique JSESSIONID credential. However, the HttpSession object is to save the user state information. That is to say, this credential corresponds to a unique HttpSession object. It can be seen from the above that the HttpSession technology is used to manage users Status is inseparable from Cookie Technology
- Create HttpSession object
- req.getSession() This method: If the request carries JSESSIONID, the server will query the corresponding HttpSession through the value of JSESSIONID when retrieving the HttpSession; if the request does not carry JSESSIONID, the server cannot get the HttpSession, but the server will Create an HttpSession object to return. The session object obtained through req.getSession() will never be NULL
- req.getSession(boolean flag) This method: setting false is equivalent to setting true for req.getSession(), there is a return, and no NULL is returned
- Manipulate the HttpSession object
- session.setAttribute(String key,Object value) put data
- session.setMaxInactiveInterval(int second) Set the storage time of the session object in the server. If it is not set, the default storage time is 30 minutes (using the global setting session storage time scheme), and configure the global storage time in the web.xml file.
<session-config>
<session-timeout>1</session-timeout> The unit is minutes, if it is not matched here, the default is 30 minutes
</session-config>
Start timing when there is no operation, and clear the session object after 30 minutes.
3.session.invalidate() Manually clear the session object (this method is not recommended, it is too violent!!)
4.session.removeAttribute(String key) Specifies to delete the data corresponding to the key saved by the session object
Summary: The default value of a session is: From opening the browser to managing the browser is called a session. The fundamental reason is that the JSSSIONID cookie saved by the cookie is cleared by default when the browser is closed, and the corresponding HttpSession object saved by the server is still there! ! ! The server will clear the HttpSession object within 30 minutes by default