After the extract and organize check
general session cookie and the browser used to track user identity
Session of storage
1. Use cookie: save the session id may employ cookie, so during the interaction of the browser can automatically JSESSIONID to the server.
If the cookie is generated when the client request does not contain JSESSIONID, the server calls request.getSession () and passed to the client, the response header will contain the information set a cookie, cookie if the client request contains JSESSIONID, will be carried out when the server calls request.getSession () according to JSESSIONID find the object, if they can find to return, or just did not deliver the same JSESSIONID regenerate. Either directly or browse url ajax requests are generated JSESSIONID the client cookie.
2. URL Rewrite: As the cookie can be considered disabled, there must be other mechanisms in order to still be able to session id back to the server when the cookie is disabled, a technique often used is called URL rewriting is the session id appended to the URL path, there are two additional ways, one is additional information as a URL path, the other is as a query string appended to the URL. Throughout the course of the interactive network remains the state, it must contain the session id back in the path of each client may request.
jsessionid general way with the url parameter passing is different, not as an argument followed, but followed with back url "?" ";" to separate. So that users disable cookie when we can pass the jsessionid to use the session, but need every time jsessionid passed as a parameter with back url. This is very troublesome, sun provides us with two ways to make things very simple: response.encodeURL () and response.encodeRedirectURL (). These two methods will determine whether the cookie is available, if the disabled will jsessionid url is parsed, and is connected to the back of the specified url, if not found jsessionid, it will automatically help us generate a.
The difference between these two methods, in determining whether to include a slightly different logic jsessionid. Before calling response.sendRedirect (), you should call encodeRedirectURL () method, or you may lose session information. The method of using these two methods such as: Response.sendRedirect (response.encodeURL ( "/ XX / xx.jsp")); . If the cookie is not disabled, we see in the browser address bar address is /xx/xx.jsp, if the cookie is disabled, we will see /xx/xx.jsp;jsessionid=L7bZL7bZL7bZL7bZL7bZ. So, with discretion, we should use these two methods on each jump url in the program, and to ensure the availability of the session.
Session creation and deletion
Session created
1) For Jsp, if the current page to access the web browser application is the first resource page and jsp specified Session of the Page property is true
2) For the Servlet, Servlet as if the current browser to access the web application first resource, use request.getSession () or request.getSession (true) created
Session deletion
1) call session.invalidate () method
2) Uninstall web application
3) exceeds the expiration time of HttpSession
Session timeout management
WEB server is unable to determine whether the current client browser will continue to visit, the client can not detect whether the browser is closed, so that, even if the customer has left or closes the browser, but also to retain the WEB server corresponding HttpSession object and before.
Over time, constantly adding new access client, WEB server memory will therefore accumulate large amounts of HttpSession object is no longer being used, and will eventually cause the server to run out of memory.
WEB server a "timeout limit" approach to determine whether the client continues to access, if a client does not issue a subsequent request within a certain period of time, WEB server believes that the client has ceased its activities, ending with the client HttpSession session and the corresponding object becomes garbage.
Access request again if the client browser timeout, WEB server believes that this is the beginning of a new session, it will create a new HttpSession object and assign a new session identification number.
Session timeout interval may be (Tomcat server or web application) file provided web.xml, its default value is defined by the Servlet container.
<session-config>
<session-timeout>30</session-timeout>
</session-config>
Session 缺点
- session 和 cookie是同一类型,如果用户将浏览器设置为不兼容任何 cookie,那么该用户就无法使用 Session变量,也不能用 cookie存储信息
- 分布式情况下session共享需要特别处理
Cookie概述
Cookie 译为小型文本文件或者小甜饼,web 应用程序利用 Cookie 在客户端缓存服务器端文件。Cookie 是以键值对形式存储在客户端主机硬盘中,由服务器端发送给客户端,客户端在下一次访问服务器端时,服务器端可以获取到客户端 cookie 缓存文件。
cookie 可以由服务器端创建的,然后由服务器端发送给客户端,客户端以键值对形式存储 cookie。客户端再次访问服务端时,存储的 cookie 会保存在请求协议中,服务端可以获取上次存储的缓存文件内容。
Cookie可以通过浏览器和服务器端生成, 存储在 http 请求头里面。
Cookie 的缺点
- 多人公用一台计算机(导致用户名密码不安全)
- Cookie 被删除时,部分信息可能出错
- Cookie 会被附加在每次 http 请求协议中,增加流量
- Cookie 使用明文传递,安全性低
- 大小受限
- Cookie 可以被用户禁用,禁用后系统中需要使用 cookie 的地方就不能用了
sessionStorage 和 localStorage
HTML5中与本地存储相关的两个重要内容:web storage 与本地数据库。其中,web storage 存储机制是对 HTML4 中 cookie 存储机制的一个改善。由于 cookie 存储机制有很多缺点,HTML5不再使用它,转而使用改良后的 web storage 存储机制。本地数据库是 HTML5 新增的一个功能,使用它可以在客户端本地建立一个数据库,原本必须保存在服务端数据库中的内容现在可以直接保存在客户端本地,这大大减轻了服务器端的负担,同时也加快了访问数据的速度。
我们知道,在HTML4 中可以使用 cookie 在客户端保存像用户名等简单的用户信息,但是通过长期的使用,你会发现,用cookie存储永久数据存在一些问题:
大小(cookie大小在4KB),带宽(cookie是随HTTP事务一起被发送的,因此会浪费一部分带宽),复杂性(要正确操纵cookie很困难)
针对这些问题,在 HTML5 中,重新提供了一种在客户端本地保存数据的功能 Web Storage
具体说,Web Storage 又分为两种:
1. sessionStorage:将数据保存在 session 对象中。
2. localStorage:将数据保存在客户端本地的硬件设备中,即使浏览器被关闭了,该数据仍然存在,下次打开浏览器访问网站时仍然可以继续使用。
这两者的区别在于,sessionStorage 为临时保存,而 localStorage 为永久保存。
WebStorage 的目的是克服由 cookie 带来的一些限制,当数据需要被严格控制在客户端时,不需要持续的将数据发回服务器。
WebStorage 两个主要目标:1)提供一种在 cookie 之外存储会话数据的路径 2)提供一种存储大量可以跨会话存在的数据的机制
HTML5 的 WebStorage 提供了两种 API:localStorage 和 sessionStorage
1. 生命周期:localStorage 的生命周期是永久的,关闭页面或浏览器后数据也不会消息,除非主动删除数据。sessionStorage 的生命周期是仅在当前会话下有效。sessionStorage 引入一个浏览器窗口概念,sessionStorage 是在同源的窗口中始终存在的数据。只要这个浏览器窗口没有关闭,即使刷新页面或者进入同源的另个页面,数据依然存在。但是 sessionStorage 在关闭了浏览器窗口后就会被销毁。同时独立的打开同一个窗口同一页面,sessionStorage 在是不一样的(因为,不同源了)。
2. 存储大小:localStorage 和 sessionStorage 的存储数据大小一般都是 5MB
3. 存储位置:localStorage 和 sessionStorage 都保存在客户端,不与服务器进行互相通信
4. 存储内容类型:localStorage 和 sessionStorage 只能存储字符串类型,对于复杂的对象可以使用 ECMAScript 提供的 JSON 对象来处理
5. 获取方式:window.localStorage 和 window.sessionStorage
6. 应用场景:localStorage 常用于长期登录(+判断用户是否已登录),适合长期保存在本地的数据。 方法:
setItem(key, value) —— 保存数据,以键值对的方式存储信息
getItem(key) —— 获取数据,将键值传入,即可获取到对应的 value 值
removeItem(key) —— 删除单个数据
clear() —— 删除所有数据
key(index) —— 获取某个索引的 key