getSession this method inside the logic, based on pass over the cookie inside the band JSessionID to find a session on your server, if you can find it with the existing session, the getSession returns this existing session, and if I did not find it to create a new session and return back. The message is inside getSession logic
according to the logic of the invention getSession One such method is called total session fixation attack.
Prevent session fixation attacks, is set to false, you can not find an empty default session does not go back to create a session
if the session is not empty, let the session failed.
In the following set to true, already above the previous session failure out. So here again there is no call sesion session of the available. It returned again to create a new session to. That every time you log in after success. Information inside your session and your previous session is not a session.
So if you write the code, you can avoid fall session fixation attacks.
Check cookie inside the parameters of return
通过jSessionID和服务器上的session绑定起来的。
path属性和这里的域名加路径合起来 就是path属性。当你访问一个什么样的路径的时候,我的cookie会被携带发送过去。
域名是分级的,一级域名二级域名等 如果在域名这里填写的是顶级域名,那么访问二级域名的时候 这回带上cookie。
如果域名这里你明确的写的是www.imooc.com 那么就只有访问www的才会带上这个cookie。你放img.imooc.com就不会发出去这个cookie
路径如果写的 /a ,那么只有访问带有/a的路径才会带上cookie
Secure是说我当前存起来的这个cookie只有我在用https这个链接去发请求的时候,才能被发出去。如果不是https的 cookie就不要发。这也是为了保证一个安全性。
httpOnly就是说当前这个请求不能被javascript脚本来读,。只能被浏览器自身来发送。不能通过写一个js来读到这个cookie。这也是为了防止跨站脚本攻击。
到期谁建是有效期是多少。默认就是浏览回话结束。如果你把有效期设置成-1的话。cookie就立马失效了。
结束