When the program creates a session for the request of a client, the server first checks whether the client's request already contains a session identifier (called a session id),
If it contains instructions have previously been created for this client session, the server in accordance with the session id retrieved using this session (not retrieved, it will create a new),
If the client request does not contain session id, a client is created for this session and generates a session is associated with this session id,
Session id value should neither be a duplicate, not easy to find a replica of the law of string, the session id is returned to the client stored in this response.
Save this way can be used session id cookie, so the browser can automatically send to the server in the interactive process in accordance with the rules of the logo. The cookie names are generally similar to SEEESIONID.
But cookie can be artificially prohibited, there must be other mechanisms in order to still be able to pass the session id in the cookie back to the server is prohibited.
1. One technique often used is called URL rewriting , the session id is directly appended to the URL path. http://xxx.?JSESSIONID=fjsdklafjdsfsldkafjlsf?type=1
2. There is also a technique called hidden form fields . That is, the server will automatically modify the form, add a hidden field to be able to pass the session id back to the server when the form is submitted. For example:
<form name = "" TestForm "" Action = "" / XXX "">
<INPUT type = "" hidden "" name = "" JSESSIONID "" value = "" ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBng -145 788 764! "" />
<INPUT = type "" text "">
</ form>