Suppose a login system that requires users to enter a user name and password:
the user in the above form , after which the information is entered, click the login button ( type="submit") will form submitted as a request parameter.
This will have to submit two forms: getand post
GET : Gets the explicit request parameter shining to put url (to begin?), The page passed to target service through TCP link.
POST : Post get points, Xianxiang target server sends a request headers, such as obtaining a positive reply (816 I'm a teapot!100 Continue) Body after a request to the target service page, request body is implied.
For some general safety and functional considerations (a direct result of the limited length of the URL GET own limitations), it is generally sent via POST like this login request, and can be encoded POST request for information, but only one coding GET mode (also because of the limited encoding of the URL), but if this is only for temporary information for the user's query speed will consider the use of GET (as a GET request is sent directly).
Of course, this is not the focus of today's discussion
We use the POST (discussed only in this way) way request information, internal server page embedded code or server-side JSP Servlet code that background (in fact, strictly speaking, belong to the JSP code-behind, because JSP can be equivalent to a Servlet, but usually front-end business process) to begin processing the request, the verification process will be carried out after the server processes the request, if verified would be to this user login information.
So we have this situation:
If the login is correct, the server home page ( index.jsp) presented to the user (client) before, otherwise an error page login ( error.jsp) to the user.
However, the processing of the request, there are two ways: forwards the request (Request Dispatch) and redirection (Redirection) :
- Forwards the request : the server
LoginServletreceives from thelogin.jsprequestLoginServletfor information request to verify, based on the verification result, the distributor request (Request Dispatcher) will be distributed to the login request informationindex.jsporerror.jsp(hereinafter abbreviated results page ) - Redirect server:
LoginServletreceives from thelogin.jsprequestLoginServletfor information request to verify, issues a redirect to the client according to the authentication result, the server in response to the corresponding page (301 Redirectthe second after), the client receives the redirect response second request.
Obviously, these two things are not the same process, and the results are not the same.
Request forwarding
Xiao Ming: Li Hua, trouble telling physics teacher soon, under section physics curriculum into a sports
Li Hua: But, I am representative of English class , you should go to Newton students, he knew physics teacher's office, so be it I can help you tell give him (memorization: the next section of the physics curriculum into sports ).
Li Hua found the Newton classmate
Li Hua: Newton, tells physics teacher heard, (recall memorizing content: Under section physics curriculum into the sport ), under Section physics curriculum into a sports
Newton :( memorization: Under section physical into the sports curriculum ) Yes, I break the news to convey to the physics teacher .
It is such a request forwarded a similar fire transmission process:
login.jspThe user's login information to a request to seal LoginServlet, LoginServletput forward the request to hand after the check, gave index.jsp, so to index.jspbe able to know:
Ah, the original admin user is logged in.
In other words, the requested information is preserved during the forwarding process, which of course is very good.
Servlet request forwarded by the request(mainly responsible for processing requests) built-in object getDispatcher(url).forward(requ,resp)methods. He told urlto forward the request page. requAnd respparameters normally fill out requestand responsethe two built-in objects representing the current transfer requests and responses.
Since the request forwarding is done on the server, the server will result page as a response overall returns, so the client not aware of anything, the address bar indicates the Servlet to deal with the request URI.
It also virtually planted a hidden danger, because the request is the same strain, so once a user accidentally in the process clicked F5 (refresh), the entire forwarding process to re-take it again, assuming that the purchase request processing business, that It will be very fatal (such as repeat purchases and duplicate payments).
Redirect
Xiao Ming: Li Hua, trouble telling physics teacher soon, under section physics curriculum into the sport
Hua :( absent-minded ) I am a representative of English class , you got the wrong guy , and myself and on behalf of Newtonian physics class, the students say go.
Eat a cold shoulder, Xiao Ming look of embarrassment Newton found a classmate
Xiao Ming: the students ...... Newton
Newton: ah? ? what happened? ?
Xiao Ming: ...... (Oh ?? I want to say what was it OO ......)
Redirection response (the Response) a service terminal, in response to the predetermined HTTP redirect information is 3 lines (301 Permanent moved, 302 Found) .
Redirection, by definition, is heavy Suncorp set your requester to , for example, you had to knock in the address bar AAA.com (purely fictitious and any similarity honored), but because of business restructuring AAA.com migration to bBB.com, in this case the service provider's domain name usually reserved AAA.com will then provide a redirect you to the bBB.com in this domain.
Redirect response issued by the server, but the request is still issued after the redirect by the client.
Redirection is through built-in objects responseis sendRedirect(url)implemented method, since in accordance with the HTTP, a standard redirect response must contain a redirection target address [ the RFC 2616 ].
HTTP/1.1 301 Moved Permanently
Location: http://www.example.org/index.aspAnd urlthat is the destination address specified in the specification.
However, this urlin itself will represent the client's second request for access , but usually only contains a URL redirection information in the target page, URL request as a new access this information on the original login gone up (because new access request does not contain them).
As a result, even if the login is successful, index.jspthere is no way to know who is logged in, he can only know is:
It seems to have a very powerful guy logged Yeah, who are you, forget it honest play dead just fine.
To sum up, the way will lead to the redirection request is missing (Request Loss) .
But there are ways to solve this problem should it
Indeed, look at the above GET request method,
GET : Explicit acquisition, request parameters shining to put url (to begin?), The page passed to target service through TCP link.
This means that I can get the request from POST to GET way to re-inserted into the URL, so that a feedback request to the client to resend the information contained on again before.
but!
As previously mentioned, due to differences between GET and POST, this approach may bring some risks.
Then I look at the matter of X, X treasure it will not appear in both cases above it
In fact, as a login function, or generally favor the use of redirection way (in fact, Dean of CAS certification is redirected to jump the way), after all, signed a slip of thirteen strokes, found the address bar or the position seems very strange.
But as I said before, the redirection risk of information loss, because the content redirection often do not contain login information.
Ever since the other built-in objects have a role - sessions (Sessions)
Session is a server-side objects created on the server that is dedicated for a specific user interacts, can be simply understood as a one of the waiters .
Since the redirection can cause loss of information, then creates a session on the server before redirecting, indicate the information registered in the session, after such redirection, session content in the service side of nature is not lost, and users revisit when a page is read directly from the login information session on it.