web.xml中的会话超时和max-age有什么区别? [英] What is the difference between session-timeout and max-age in web.xml?
问题描述
我不确定是否理解:
<session-config>
<session-timeout>30</session-timeout> <!-- 30 minutes! -->
<cookie-config>
<http-only>true</http-only>
<max-age>1800</max-age> <!-- 1800 seconds: 30 minutes! -->
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
还有,有什么方法可以在web.xml中配置所有cookie?这似乎仅适用于会话cookie。
Also, is there any way to configure ALL cookies in web.xml? This seems to apply to session cookies only. Do I need a filter for such feature?
推荐答案
为什么我们甚至需要这个?引用Servlet 3.0规范:
Why do we even need this? Quoting the Servlet 3.0 specification:
在HTTP协议中,当
客户端不再活动时,没有显式终止信号。这意味着
可以用来指示客户端何时不再处于活动状态的唯一机制是
超时时间。
In the HTTP protocol, there is no explicit termination signal when a client is no longer active. This means that the only mechanism that can be used to indicate when a client is no longer active is a time out period.
Web公用模式确实可以对其进行详细说明:
The web-commons schema really nails explaining it:
session-timeout元素定义了默认的会话超时间隔在此Web应用程序中创建的所有会话。指定的超时时间必须以分钟为单位。
The session-timeout element defines the default session timeout interval for all sessions created in this web application. The specified timeout must be expressed in a whole number of minutes.
如果超时值为0或更小,容器将确保会话的默认行为永远不会超时。
如果未指定此元素,则容器必须设置其默认的
超时时间。
If the timeout is 0 or less, the container ensures the default behaviour of sessions is never to time out. If this element is not specified, the container must set its default timeout period.
网络公共模式也为我们提供了有关 max-age
元素的一些信息:
将分配给此Web应用程序创建的任何会话跟踪cookie的生存期(以秒为单位)。默认值为-1
The lifetime (in seconds) that will be assigned to any session tracking cookies created by this web application. Default is -1
回答最后一个问题:
And to answer your last question:
还有,有什么方法可以在web.xml中配置所有cookie?
似乎仅适用于会话Cookie。我需要针对此类功能的过滤器吗?
Also, is there any way to configure ALL cookies in web.xml? This seems to apply to session cookies only. Do I need a filter for such feature?
我不这样认为。
最简单的交易;恕我直言,这样做的方法是将
子类化为 HttpServletResponseWrapper
覆盖 addCookie()
方法。
I don't think so.
The easiest™ way to do so IMHO would be to subclass
HttpServletResponseWrapper
overriding the addCookie()
method.
总结一下:
So to sum it up:
-
会话超时配置会话耗费服务器资源多长时间,即使没有被主动访问也是如此。
session-timeout configures how long the session will linger around consuming server resources, even when not being actively accessed.
max -age 配置客户端浏览器将保留会话cookie 的时间。此设置仅适用于 cookie 的生存期:如果您使用的是URL重写,则不会执行任何操作,并且与将会话保留在服务器上的时间绝对无关-侧。默认值-1会在浏览器会话处于活动状态时保持 cookie 。
max-age configures how long the client browser will keep the session cookie. This setting only applies to the lifetime of the cookie: it won't do a thing if you're using URL rewriting, and it has absolutely nothing to do with how long the sessions are kept at the server-side. The default, -1, keeps the cookie for as long as the browser session is active.
Servlet 3.1 JSR-340规范页面:
http://download.oracle.com/otndocs/jcp /servlet-3_1-fr-eval-spec/index.html
Servlet 3.1 JSR-340 specification page:
http://download.oracle.com/otndocs/jcp/servlet-3_1-fr-eval-spec/index.html
Web公用XSD可在以下位置获得:
< a href = http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/web-common_3_0.xsd rel = nofollow noreferrer> http://www.oracle.com/webfolder /technetwork/jsc/xml/ns/javaee/web-common_3_0.xsd
The web-commons XSD is available at:
http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/web-common_3_0.xsd
这篇关于web.xml中的会话超时和max-age有什么区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!