应用程序服务器如何跟踪HttpSession对象和客户端？ [英] How do application servers keep track of HttpSession objects and clients?

问题描述

应用程序服务器如何跟踪哪个客户端与哪个HttpSession对象相关联？它与跟踪客户端之间的TCP / IP连接有关吗？还是饼干？我怀疑它是cookie，因为有一种单独的方法来提取cookie。

背景

<我明白servlet和JSP可以调用request.getSession（）来获取与客户端关联的HttpSession对象。我很好奇服务器在客户端请求新页面时如何知道返回同一个对象。我一直在搜索，我找到的所有文档都是关于如何提取会话信息。我对服务器如何从它可以访问的客户端数据的海洋隔离该会话信息感兴趣。

解决方案

我怀疑它是饼干

它是！在无状态HTTP协议和servlet中，基本上有两种跟踪用户会话的方法： JSESSIONID cookie或URL重写。当cookie不可用时使用后者。

使用第一个响应servlet容器在客户端中设置以下cookie：

  Set-Cookie：JSESSIONID = 25E7A6C27095CA1F560BCB2983BED17C;路径= /; HttpOnly 
  

每个后续请求都包含此cookie，servlet容器使用它来提供正确的 HttpSession的。您可以使用servlet API直接访问此cookie，甚至可以在 JSESSIONID 或其他cookie之上构建自己的会话机制。但是servlet容器会为你做这件事。

另见

• 为什么在启用cookie时jsessionid出现在Wicket URL中？ - 有关servlet容器如何区分cookie和URL重写的一些技术细节

How do application servers keep track of which client is associated with which HttpSession object? Is it related to keeping track of the TCP/IP connection between the client? Or cookies perhaps? I doubt it's cookies since there is a separate method for extracting cookies.

Background

I understand that servlets and JSPs can call request.getSession() to obtain an HttpSession object associated with a client. I'm curious as to how the server knows to return that same object when the client requests new pages. I've searched around and all documentation I find is on how to extract session information. I'm interested in how the server isolated that session information from the sea of client data it has access to.

解决方案

I doubt it's cookies

It is! There are essentially two ways of keeping track of user session in stateless HTTP protocol and servlets: JSESSIONID cookie or URL rewriting. The latter is used when cookies are not available.

With first response servlet container sets the following cookie in the client:

Set-Cookie: JSESSIONID=25E7A6C27095CA1F560BCB2983BED17C; Path=/; HttpOnly

Every subsequent request includes this cookie, and servlet container uses it to provide correct HttpSession. You can access this cookie directly using servlet API, you can even build your own session mechanism on top of JSESSIONID or some other cookie. But the servlet container does that for you.

See also

• Why is jsessionid appearing in Wicket URLs when cookies are enabled? - for some technical details on how servlet container makes a distinction between cookies and URL rewriting

这篇关于应用程序服务器如何跟踪HttpSession对象和客户端？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！