你有多久保持会话cookie？ [英] How long do you keep session cookies around for?

问题描述

我正在实施一个使用会话的网络应用程序。我使用GWT和应用程序引擎作为我的客户端/服务器，但我认为他们做的事情与我在PHP和Apache等方面的做法完全不同。

<当用户登录到我的Web应用程序时，我正在使用HttpSession为他们启动会话。我得到这样的会话ID：

  //从我的登录servlet：
 getThreadLocalRequest（）。getSession（false ）.getId（）; 
  

我将sessionId返回给客户端，并将它们存储在cookie中。我使用的教程将这个cookie设置为在两周内过期：

  Cookie.write（sid，theSessionId ，1000 * 60 * 60 * 24 * 14）; //两周
  

这里我很困惑：如果cookie在两周内过期，那么我的用户会愉快地使用Web应用程序，只有一天浏览我的网站并显示登录屏幕。我有什么选择？我可以只设置此cookie的到期时间吗？那么用户必须明确注销，否则他们可以永久使用该应用程序而不必重新登录？

或者有更好的方法可以做到这一点？我不记得像Twitter这样的网站曾要求我重新登录。我似乎永久登录，他们只是没有到期？

该webapp不保护任何类型的高度敏感的数据，所以我不介意离开一个不会过期的cookie，但它似乎必须有一个更好的方法？

这是我引用的教程：

http://code.google .com / p / google-web-toolkit-incubator / wiki / LoginSecurityFAQ

谢谢

解决方案

HttpSession 在幕后已经由cookie支持。检查名为 jsessionid 的浏览器cookie列表。此外，当获得一个实例时，您应该在不带 false 的情况下调用 getSession（），否则您可能会冒< c $ c> NullPointerException ，因为它还没有被创建，因此会返回 null 。

当您进行登录时，您通常会在会话中登录 User 。

  User user = userDAO.find（username，password）; 
 if（user！= null）{
 session.setAttribute（user，user）; 
} else {
 //处理错误未知的用户名/密码组合。 
} 
  

您可以让您的web应用程序拦截登录的用户只需检查它在会话中的存在。例如，在过滤器中，您可以使用它来阻止受保护的页面。

  if（session.getAttribute（user）== null）{
 response.sendRedirect（login）; 
} else {
 chain.doFilter（request，response）; 
 
  

HttpSession has在大多数webcontainers默认超时30分钟。换句话说，它将在最后一次请求后30分钟到期。这可以在 web.xml 中进行配置，如下所示：

 < session -config> 
< session-timeout> 10< / session-timeout> 
< / session-config> 
  

超时时间以分钟为单位（因此在上例中为10分钟）。

如果您想提供（自动）在此计算机上记住我选项，则必须使用另一个另一个 / em>标识符。我之前发布了一个详细解答的答案： Java - 如何让用户登录我的网站几个月？

I'm implementing a web app, which uses sessions. I'm using GWT and app engine as my client/server, but I don't think they're doing anything really different than I would do with PHP and apache etc.

When a user logs into my web app, I am using HttpSession to start a session for them. I get the session id like this:

// From my login servlet:
getThreadLocalRequest().getSession(false).getId();

I return the sessionId back to the client, and they store it in a cookie. The tutorial I'm using sets this cookie to 'expire' in two weeks:

Cookie.write("sid", theSessionId, 1000 * 60 * 60 * 24 * 14); // two weeks

Here's where I'm confused: if the cookie expires in two weeks, then my user will go along using the webapp happily, only to one day browse to my site and be shown a login screen. What are my options? Can I just set no expiration time for this cookie? That way the user would have to explicitly log out, otherwise they could just use the app forever without having to log back in?

Or is there a better way to do this? I can't remember sites like Twitter having ever asked me to log back in again. I seem to be permanently logged in. Do they just set no expiration?

The webapp isn't protecting any sort of highly sensitive data, so I don't mind leaving a cookie that doesn't expire, but it seems like there must be a better way?

This is the tutorial I'm referencing:

http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ

Thanks

解决方案

The HttpSession is behind the scenes already backed by a cookie. Check the browser cookie list for the one with the name jsessionid. Further, when obtaining an instance, you should call getSession() without the false, else you may risk a NullPointerException when it isn't created yet and thus will return null.

When you do a login, you usually put the logged in User in the session.

User user = userDAO.find(username, password);
if (user != null) {
    session.setAttribute("user", user);
} else {
    // Handle error "Unknown username/password combo."
}

You can let your webapplication intercept on the logged in User by just checking its presence in the session. For example in a Filter which you'd like to use to block secured pages.

if (session.getAttribute("user") == null) {
    response.sendRedirect("login"); 
} else {
    chain.doFilter(request, response);
}

The HttpSession has in most webcontainers a default timeout of 30 minutes. In other words, it will expire 30 minutes after the last request. This is configureable in web.xml as follows:

<session-config>
    <session-timeout>10</session-timeout>
</session-config>

Where the timeout is in minutes (thus 10 minutes in the above example).

If you'd like to provide a (automatic) "Remember me on this computer" option, then you have to create another cookie with another identifier. I've posted previously an answer which goes in detail about that: Java - How do I keep a user logged into my site for months?

这篇关于你有多久保持会话cookie？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！