在不使用Cookie API的情况下获取sessionId而不访问会话 [英] Getting sessionId without accessing the session using cookies API

问题描述

我需要获取当前会话ID，而无需点击会话(以便有机会过期).

I need to get current session Id without hitting the session (to give it a chance to expire).

我使用Servlet代码中的Cookies来保持会话不变，然后使会话在其超时时间后过期.

I've used Cookies from Servlet code in order keep the session not-touched and then make the session expires after its timeout time.

我正在使用以下代码:

public static String getSessionId(HttpServletRequest request)
{
    String sessionId = "";
    String logMsg = "";
    if (request != null)
    {
        String sessionTimeout = PropertiesReader.SESSION_TIMEOUT_SCHEMA;
        if (sessionTimeout != null && SessionHelper.SESSION_TIMEOUT_FIXED.equalsIgnoreCase(sessionTimeout))
        {
            logMsg = "FIXED: Getting SessionId from Cookies with activating the session";
            Cookie[] cookies = request.getCookies();
            if (cookies != null)
            {
                for (Cookie cook : cookies)
                {
                    if ("JSESSIONID".equalsIgnoreCase(cook.getName()))
                    {
                        sessionId = cook.getValue();
                        break;
                    }
                }
            }
        } else
        {
            logMsg = "PER_USAGE: Getting SessionId from Session";
            sessionId = request.getSession(false) != null ? request.getSession(false).getId() : "";
        }
    }else
    {
        logMsg = "Request object is null";
    }

    logger.info(logMsg + ", sessionId=" + sessionId);

    return sessionId;
}

一台OC4J应用服务器，它可以正常工作.尽管在另一台oc4j服务器上，访问cookie的代码使会话保持活动状态并且不会超时！

One one OC4J app server, it works fine. although on another oc4j server, the code of accessing cookies makes the session keep active and don't timeout!

编辑:

我真的很困惑！我试图放置一个过滤器以删除JSESSIONID cookie并从HttpServletRequest中删除所有cookie，但是当我对传递给servlet的请求调用getSession(false)时，我得到了一个有效的Session！

I really stucked!, I've trying to place afilter to remove the JSESSIONID cookie and remove all cookies from the HttpServletRequest, but when I call getSession(false) on the request passed to the servlet, I got a valid Session!

class CookieRemovalHttpServletRequestWrapper extends HttpServletRequestWrapper
    {
        public static final String COOKIE_HEADER = "cookie";
        public static final String JSESSIONID = "JSESSIONID";

        public CookieRemovalHttpServletRequestWrapper(HttpServletRequest request)
        {
            super(request);
        }

        @Override
        public String getHeader(String name)
        {
            if (COOKIE_HEADER.equalsIgnoreCase(name))
            {
                return "";
            }
            return super.getHeader(name);
        }

        @Override
        public Enumeration getHeaderNames()
        {
            Enumeration e = super.getHeaderNames();
            List l = new ArrayList();
            while (e.hasMoreElements())
            {
                String headerName = (String) e.nextElement();
                if (!COOKIE_HEADER.equalsIgnoreCase(headerName))
                {
                    l.add(headerName);
                }
            }

            return Collections.enumeration(l);
        }

        @Override
        public Enumeration getHeaders(String name)
        {
            if (COOKIE_HEADER.equalsIgnoreCase(name))
            {
                return new Enumeration()
                {
                    public boolean hasMoreElements()
                    {
                        return false;
                    }

                    public Object nextElement()
                    {
                        return null;
                    }
                };
            }
            return super.getHeaders(name);
        }

        @Override
        public Cookie[] getCookies()
        {
            Cookie[] cs = super.getCookies();
            List<Cookie> cokRet = new ArrayList<Cookie>(cs.length);
            for (Cookie c : cs)
            {
                if (c.getName().equalsIgnoreCase(JSESSIONID)) continue;
                cokRet.add(c);
            }

            return cokRet.toArray(new Cookie[] {});
        }

    }

并且真的想忘了所有关于Session的知识，而只是将session ID用作用户的唯一标识符，然后自己用困难的方式做到这一点.

And really think to forget all about Session and just use the session Id as just a unique identifier to the user, and do it myself the hard way.

推荐答案

对于您的代码，请不要困难，请使用

As to your code, don't do it the hard way, use HttpServletRequest#getRequestedSessionId() and HttpServletRequest#isRequestedSessionIdValid() instead to check the requested session ID and if it is valid.

if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
    // The session has been expired (or a hacker supplied a fake cookie).
}

关于您的具体问题:

访问cookie的代码使会话保持活动状态并且不会超时！

不，代码不这样做.是HTTP请求本身完成的.确实，每当您不调用 getSession()之类的东西时，会话超时都不会被延迟.无论客户端是否需要代码中的会话，该请求都会在客户端触发的每个HTTP请求中被推迟.

No, the code doesn't do that. It's the HTTP request itself which does that. It is not true that whenever you don't call getSession() or something, the session timeout won't be postponed. It will be postponed on every single HTTP request fired by the client, regardless of whether you need the session in the code.

要了解会话的工作方式，您可能会发现此答案很有帮助:

To learn about how sessions work, you may find this answer helpful: How do servlets work? Instantiation, sessions, shared variables and multithreading

这篇关于在不使用Cookie API的情况下获取sessionId而不访问会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！