使用会话和cookie进行Servlet身份验证 [英] Servlet authentication using sessions and cookies

问题描述

我需要实现简单的servlet用户身份验证(在Java Dynamic Web Project中)，但是有些事情使我非常困惑.

I need to implement simple servlet user authentication (in Java Dynamic Web Project) but there are things that confuse me quite a bit.

首先，尽管出于某种原因，该servlet创建了cookie JSESSIONID ，但我从未要求这样做.而且，如果执行 request.addCookie(new Cookie("JSESSIONID"，session.getId()))，我将无法更改其值，

Firstly, the servlet for some reason creates the cookie JSESSIONID although I never ask it to. And moreover, I cannot change its value, if I do request.addCookie(new Cookie("JSESSIONID", session.getId())), it makes something like this:

Cookie: JSESSIONID=6B5B441038414B4381EDB7470018F90E; JSESSIONID=7890D45DF445635C49BDEB3CADA8AD99; .......

因此，它复制了cookie.

so, it duplicates the cookie.

其次，我不确定在哪里比较cookie和会话的ID，以及在哪里以及如何正确创建会话(即 request.getSession(true?/false?/none?); )

Secondly, I'm not sure where to compare cookie and session's id, and where and how to create session correctly (i.e. request.getSession(true? / false? / nothing?);)

我已经阅读了一些文档，但仍然需要帮助.

I've read some documentation but still need help.

我有servlet HomeServlet ，如果用户未通过身份验证，则应该将用户重定向到 authentication 页面.

I have the servlet HomeServlet which shoud redirect user to authentication page if the user is not authenticated.

这是我的操作方式( HomeServlet.java ):

Here's how I do that (HomeServlet.java):

    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

        if(request.getSession().getAttribute("user") != null) {
            request.getRequestDispatcher("/WEB-INF/index.jsp").forward(request, response);
        } else {
            response.sendRedirect("authentication");
        }
    }

我还具有 AuthServlet ，该代码为jsp页面提供身份验证表单并验证用户.

And I also have AuthServlet which serves jsp page with authentication forms and validates users.

AuthServlet.java :

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

    String action = request.getParameter("ACTION");

    if ("login".equals(action)) {
        String[] result = doSomeValidations();

        if (result.size() > 0) { // show validation errors
            request.setAttribute("errorLoginMessage", result);
            request.setAttribute("email", email);
            doGet(request, response);
        } else { // authenticate user
            request.getSession().setAttribute("user", userObject);
            request.getRequestDispatcher("/WEB-INF/index.jsp").forward(request, response);
        }
    } else if ("signup".equals(action)) {
        // ...........................          
    } else {
        doGet(request, response);
    }
}

---

那么，您能帮助我理解这一点吗?如何实现用户身份验证并在整个会话过程中保持用户登录状态?

---

So, could you help me with understanding that? How do I implement user authentication and keep the user logged in throughout the session?

推荐答案

首先，由于某种原因，servlet创建了cookie JSESSIONID尽管我从不要求

Firstly, the servlet for some reason creates the cookie JSESSIONID although I never ask it to

HttpSession jsession = request.getSession();  

您正在此处请求会话，容器会以响应方式创建 JSESSIONID cookie

you are requesting a session here and JSESSIONID cookie is created by the container in response

如何正确创建会话request.getSession(true?/false?/什么?);

how to create session correctly request.getSession(true? / false? / nothing?);

request.getSession()和 request.getSession(true)完全相同，如果需要，它们会启动一个新会话，但是 request.getSession(false)表示是否已经有一个会话使用，但如果没有，则不要开始.您想如何开始会话以及在何处开始完全取决于您的要求

request.getSession() and request.getSession(true) are exactly the same they start a new session if needed ,but request.getSession(false) means if there is already a session use it but if there isn't don't start one. How and where you want to start the session is dependent entirely on your requirements

 response.addCookie(new Cookie("JSESSIONID", jsession.getId()));

您不可以自己添加 JSESSIONID cookie，容器会为您完成.

you are not suppossed to add a JSESSIONID cookie yourself , the container will do it for you .

此外，您还应该在您的应用中创建一次会话，一旦 JSESSIONID cookie存储在用户的浏览器中(启用了cookie)(它将启用)，它将随请求一起发送.

Also you should create session once in your app , once the JSESSIONID cookie is stored in the user's browser(provided cookies are enabled) ,it will be sent along with the request.

我如何实现用户身份验证

How do I implement user authentication

主观性强且取决于要求，您可以阅读 https://docs.oracle.com/cd/E19226-01/820-7627/bncby/index.html

Highly subjective and depends on requirements , you can read this https://docs.oracle.com/cd/E19226-01/820-7627/bncby/index.html

在整个会话过程中保持用户登录

keep the user logged in throughout the session

您的会话Cookie将在用户通过身份验证后为您提供帮助，例如登录Facebook并保持"cookie"标签保持打开状态

Your session cookies will help you with that once the user has been authenticated ,as an example login to facebook and keep your cookies tab open

这篇关于使用会话和cookie进行Servlet身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！