Java EE应用程序上的会话处理 [英] Session handling on Java EE application

问题描述

我正在开发一个系统来处理客户商家系统收到的金融交易。它是我们从供应商处购买的现有系统的替代品。客户端界面应该调用用户身份验证&来自我们系统的交易处理屏幕。

I’m developing a system to process financial transactions received by client merchants systems & it is a replacement of existing system which we have purchased from a vendor. Client interface should invoke the user authentication & transaction processing screens from our system.

系统功能如下，

1. 从商家网站接收输入参数


2. 验证它


3. 验证用户（用户在我们的系统中注册，我们应该调用我们的登录屏幕）


4. 流程交易


5. 向商家返回状态回复

1. Receive input parameters from the merchant’s site
2. Validate it
3. Authenticate users (users are registered with our system & we should invoke our login screen)
4. Process transaction
5. Return status response to merchant

收到回复的一个客户应该验证来自值的事务数据驻留在会话中。

One the response is received client should validate the transaction data from the values reside in the session.

系统概述可以描述如下，

System overview can be depicted as follows,

（点击此处查看完整大小的图片）

我的问题是客户无法保留会话回应客户。但是我们从供应商那里购买的系统可以实现相同的功能（我们没有这个的源代码来分析内部编码结构）。我希望我们回应客户的方式有问题。

My problem is client could not retain the session once we are responding to the client. But the same functionality could be achieved by the system that we have purchased from the vendor (we don’t have source code of this to analyse the internal coding structure). I hope something wrong with the way that we are responding to the client.

我如何克服这个问题？

我们正在使用Java 1.4.2，Websphere应用服务器

We are using Java 1.4.2, Websphere application server

推荐答案

有许多事情可以使会话消失。我建议跟踪它们并验证是否正常。如果您了解会话如何工作，这将更容易实现。

There are many things which can make a session disappear. I'd suggest to track them and verify if anything went right. This is easier to do if you understand how sessions work.

• 会话已经超时。这通常默认为30分钟。这可以通过< session-timeout> 在 web.xml 中进行配置，您可以在其中指定超时（以分钟为单位）。您可以实现 HttpSessionListener 使用记录器跟踪会话创建和销毁。

• Session has been timed out. This usually defaults to 30 minutes. This is confiugureable by <session-timeout> in web.xml where you can specify the timeout in minutes. You can implement a HttpSessionListener to track session creation and destroy using a logger.

会话被强制失效。当代码调用 <$时会发生这种情况。 C $ C>的HttpSession＃无效（） 。这也可以通过 HttpSessionListener 进行跟踪。

Session has forcibly been invalidated. This happens when the code calls HttpSession#invalidate(). This is trackable with a HttpSessionListener as well.

会话cookie已经消失。会话由cookie支持。如果已创建会话，则服务器将添加具有会话ID的 Set-Cookie 标头。客户端应该在 Set-Cookie Cookie 标头c $ c>标题。这可以在浏览器的内置Web开发人员工具集的HTTP流量监视器（网络选项卡）中进行跟踪（在Chrome / Firefox23 + / IE9 +中按F12）。 Cookie可以在同一个Cookie域中的所有Web应用程序访问。此外，如果 ServletC2 运行在与 ServletC1 不同的webapp上下文中，则它将不会使用相同的会话。此外，如果服务器web应用程序在同一个域上运行，那么它理论上可以消除客户端Web应用程序的所有cookie。

Session cookie has been disappeared. Sessions are backed by cookies. If a session is been created, the server will add a Set-Cookie header with session ID. The client should send the same cookie back as Cookie header in all subsequent requests on the (context) path as specified in the Set-Cookie header. This is trackable in the HTTP traffic monitor ("Network" tab) of browser's builtin web developer toolset (press F12 in Chrome/Firefox23+/IE9+). Cookies are accessible for all webapps on the same cookie domain. Also, if ServletC2 runs on a different webapp context than ServletC1, then it won't use the same session. Further, if the "server" webapplication runs on the same domain, then it's in theory able to wipe out all cookies of the "client" webapplication.

客户端不支持cookie。精心设计的Web应用程序使用URL重写与 jsessionid 来跟踪同一Web应用程序上的请求之间的无cookie客户端。但是第二个Web应用程序在重定向回第一个Web应用程序时必须这样做。

The client doesn't support cookies. A well designed webapplication uses URL rewriting with jsessionid to track cookieless clients between requests on the same webapplication. But the second webapplication has to do the same when redirecting back to the first webapplication.

这篇关于Java EE应用程序上的会话处理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！