In many web programs, after logging in for the first time, when accessing the same web program again within a certain period of time (such as 2 hours) , you do not need to log in again, but directly enter the main interface of the program (only for this machine). The key to realizing this function is that the server needs to identify the client's identity. And using cookies is the simplest form of authentication.
If the user logs in for the first time, the user name can be written to the local as a cookie , the code is as follows:
cookie.setMaxAge(365 * 24 * 3600);
cookie.setPath("/");
response.addCookie(cookie);
When the user visits the program again, the server program should check whether the cookie exists. The code is as follows:
for (Cookie cookie: cookies)
{
if (cookie.getName().equals(user))
{
// 如果user Cookie存在,进行处理 break; } }
Although the User Cookie can be obtained from the client , the cookie may exist for a long time, and it is not safe to automatically log in only with this cookie . Therefore, a Session can be used on the server to manage users. That is, when the first login is successful, a Session is created and some information of the user is saved in the Session . code show as below:
session.setAttribute(user, user);
session.setMaxInactiveInterval(2 * 3600); // Session保存两小时
When accessing the program again, after confirming that the cookie exists, it will continue to verify the existence of the User Session . The code is as follows:
for (Cookie cookie: cookies)
{
if (cookie.getName().equals(user))
{
if (session.getAttribute(user) != null )
{
// direct forward Go to the main interface break ; } else { // forward to the login interface } } }
Although the above code can implement the automatic login function well, when the browser is closed and restarted, since the JSESSIONID Cookie used by the Servlet to save the Session ID is temporary (that is to say, it is not a persistent cookie , when the browser is closed, This cookie will be deleted), therefore, the JSESSIONID needs to be persisted. code show as below:
session.setAttribute(user, user);
session.setMaxInactiveInterval(2 * 3600); // Session saves cookies for two hours
cookie = new Cookie("JSESSIONID", session.getId());
cookie.setMaxAge(2 * 3600); // The client's JSESSIONID is also saved for two hours
session.setMaxInactiveInterval(interval)
cookie.setPath("/");
response.addCookie(cookie);
如果使用上面的代码,即使浏览器关闭,在两小时之内,Web程序仍然可以自动登录。
如果我们自已加一个JSESSIONID Cookie,在第一次访问Web程序时,HTTP响应头有两个JSESSIONID,但由于这两个JSESSIONID的值完全一样,因此,并没有任何影响。如果在响应头的Set-Cookie字段中有多个相同的Cookie,则按着path和name进行比较,如果这两个值相同,则认为是同一个Cookie,最后一个出现的Cookie将覆盖前面相同的Cookie,如下面的两个Cookie,最后一个将覆盖前一个:
Set-Cookie: JSESSIONID=DDB2274CAC6739E1D6747B0043D5D90E; Path=/web
Set-Cookie: JSESSIONID=mysession; Expires=Thu, 05-Jun-2008 05:02:50 GMT; Path=/web
由于下面两个Cookie的path不同,因此,它们是完全不同的两个Cookie:
Set-Cookie: JSESSIONID=DDB2274CAC6739E1D6747B0043D5D90E; Path=/web1
Set-Cookie: JSESSIONID=mysession; Expires=Thu, 05-Jun-2008 05:02:50 GMT; Path=/web2