I didn't pay much attention to it when I was studying before, but today I went back and carefully studied the life cycle of the session.
Sessions are stored on the server side, and generally in order to prevent them from being in the server's memory (for high-speed access), Sessinon creates the first time the user accesses the server.Note that only accessing JSP, Servlet, and other programs will create a Session, and only accessing static resources such as HTML and IMAGE will not create a Session.
When does a session expire?
1. The server will clear the session from the server memory that has been inactive for a long time, and the session will be invalid. The default expiration time of a session in Tomcat is 20 minutes.
2. Call the invalidate method of the Session.
Session requirements for browsers:
Although the session is stored on the server and is transparent to the client, its normal operation still requires the support of the client's browser. This is because Session needs to use cookies as an identifier. The HTTP protocol is stateless, and the session cannot be judged by the HTTP connection to determine whether it is the same customer, so the server sends a cookie called JSESSIONID to the client browser, which has the value of the id of the session (that is, the return value of HttpSession.getId()). Session uses the cookie to identify whether it is the same user.
This cookie is automatically generated by the server, and its maxAge attribute is usually -1, which means that it is only valid in the current browser, and is not shared between browser windows, and will not be valid when the browser is closed. Therefore, when two browser windows on the same machine access the server, two different sessions are generated. Except for new windows opened by links, scripts, etc. within the browser window (i.e. not windows opened by double-clicking on desktop browser icons, etc.). These child windows share the parent window's cookie and therefore a session.
Note: New Sessions are generated in newly opened browser windows, except for sub-windows. The child window shares the session of the parent window. For example, when you right-click on a link and select "Open in new window" in the shortcut menu that pops up, the child window can access the parent window's Session.
What if the client browser disables cookies or does not support cookies? For example, the vast majority of mobile browsers do not support cookies. Java Web offers another solution: URL address rewriting.
URL address rewriting is a solution for clients that do not support cookies. The principle of URL address rewriting is to rewrite the id information of the user's session to the URL address. The server can parse the rewritten URL to get the Session id. This way, even if the client does not support cookies, the session can be used to record the user state. The HttpServletResponse class provides encodeURL (String url) to implement URL address rewriting, which automatically determines whether the client supports cookies. If the client supports cookies, the URL will be output as it is. If the client does not support cookies, the id of the user session is rewritten into the URL.
Note: TOMCAT determines whether a client browser supports cookies based on whether a cookie is included in the request. Although the client may support cookies, since no cookies are carried on the first request (because there are no cookies that can), the rewritten URL address will still have jsessionid in the address. The server has already written a cookie in the browser on the second visit, so the rewritten URL address will not have jsessionid in the address.
|
Posted on 4/19/2015 7:44:59 PM
|
|
|
Posted on 3/18/2017 4:52:21 PM