In the seven layer model network, the session layer is located above the transport layer that defines how to start, control and end a session. Seven-layer model is currently only in the theoretical stage, but the Web borrowed some ideas of them. In the first Web browser sends a request to the server to start until one off so far counted as one session. HTTP protocol itself does not state, then how Web services know whether this request it in one session? Web provides a Cookie and Session two technologies.
After the first server receives a request, the HTTP response headers Set-Cookieafter, set the Cookie value, the browser receives the response, save the Cookie locally. When a subsequent request is then provided in the HTTP request header Cookievalue, the server identifies a status request according to this Cookie.
Cookie value itself is a key-value pair, e.g. Cookie: name=value;
Servlet Cookie Use
In the Servlet, the following step using Cookie:
- Create a Cookie object
new Cookie(String name, String value) - Send a cookie to the browser
response.addCookie(Cookie) - Gets the browser sends over the cookie
request.getCookies()return all Cookie - Get all cookie object traversing Cookies
- Call
Cookie.getName(),Cookie.getValue()get the keys and values of the Cookie
Notes are as follows:
- One can return multiple Cookie, multiple calls to response.addCookie
- Close the browser default cookie fail, but you can set the cookie expiration time
Although Cookie be used to identify a session, but not abuse, Cookie is first stored in the browser, can be forged, so are done automatically log crawler generally done, the second browser cookie size is limited for a single generally 4kb. At the same time the browser is also limited to a single cookie domain name, the default is 20. Since the cookie itself is like a small biscuit material, in general, not the little material as a main course.
Session
Cookie generally small as expected, as the session identifier, the use of Session are more common.
Those restrictions Session is stored on the server side, Session no cookie compared with Cookie.
The principle
Achieve Session Cookie is based.
- The first call request.getSession get Session, no Cookie Cookie will create a new object in memory, the name JSESSION value is a unique ID, a unique identifier of session
- When the response to the client will include a cookie value, Set-Cookie: JSESSION = ID
- Visit web browser the next time will be in other resources as a cookie request header to the server.
- Remove the server ID from the cookie value, and find the corresponding object from memory according to the Session ID
Use HttpSession session = request.getSession();to get a Session object
Function List
Common Session object function is as follows:
public Object getAttribute(String name); //该方法返回在该 session 会话中具有指定名称的对象,如果没有指定名称的对象,则返回 null。
public Enumeration getAttributeNames(); //该方法返回 String 对象的枚举,String 对象包含所有绑定到该 session 会话的对象的名称。
public long getCreationTime(); //该方法返回该 session 会话被创建的时间,自格林尼治标准时间 1970 年 1 月 1 日午夜算起,以毫秒为单位。
public String getId(); //该方法返回一个包含分配给该 session 会话的唯一标识符的字符串。
public long getLastAccessedTime(); //该方法返回客户端最后一次发送与该 session 会话相关的请求的时间自格林尼治标准时间 1970 年 1 月 1 日午夜算起,以毫秒为单位。
public int getMaxInactiveInterval(); //该方法返回 Servlet 容器在客户端访问时保持 session 会话打开的最大时间间隔,以秒为单位。
public void invalidate(); //该方法指示该 session 会话无效,并解除绑定到它上面的任何对象。
public boolean isNew(); //如果客户端还不知道该 session 会话,或者如果客户选择不参入该 session 会话,则该方法返回 true。
public void removeAttribute(String name); //该方法将从该 session 会话移除指定名称的对象。
public void setAttribute(String name, Object value); //该方法使用指定的名称绑定一个对象到该 session 会话。
public void setMaxInactiveInterval(int interval); //该方法在 Servlet 容器指示该 session 会话无效之前,指定客户端请求之间的时间,以秒为单位。