关于 java web 会话处理如何工作的困惑.使用 servlet api 和 HttpSession 对象揭开 Cookie 和 Header 差异的神秘面纱 [英] Confusion about how java web session handeling works. Demystifying Cookies and Header differences using servlet api and HttpSession object

问题描述

我正在学习 Spring security 和 Spring MVC，但我意识到我需要先学习 jsp Servlets 和 java 环境中的一般 web 编程.

I am learning Spring security and Spring MVC, but I realized I needed to learn jsp Servlets first and general web programming in a java environment.

我对 HttpServletRequest 和 HttpServletResponse 对象以及如何使用它们向请求和响应对象添加标头以及它们与会话的关系感到困惑.

I have confusions surrounding the HttpServletRequest and HttpServletResponse objects and how they can be used to add headers to the request and response objects and how they relate to sessions.

据我所知，cookie 是一种 header，就像 Content-type 和 Accept 一样.java servlet api 只是通过使用特定于使用标头的上下文的方法来轻松处理标头.例如:

As far as I understand, a cookie is a type of header just like Content-type and Accept. The java servlet api just makes it easy to work with the header by using methods specific to the context in which the header is being used. For example:

response.setContentType(String mimeType)
response.setContentLength(int lengthInBytes)

我的困惑从这里开始.. Cookie 不是 String 或 int，它是一个对象:

My confusion starts here.. Cookie is not a String or int, its a object:

response.addCookie(Cookie cookie)
response.getCookies()

因为 cookie 是一种标头，我不能只使用这样的东西:

Since a cookie is a type of header, can't I just use something like this:

String cookieVal = response.getHeader("cookie")

我很难理解会话管理以及它与 HttpServletRequest 和 HttpServletResponse API 的关系.. HttpSession 对象有什么用?

I'm having difficulty understanding session management and how it relates to the HttpServletRequest and HttpServletResponse API.. What is the HttpSession object for?

HttpSession.getAttribute() // What is this getting??
HttpSession.setAttribute("Bla Bla", "valuetoset") // What is this setting?

推荐答案

您可以阅读 RFC 描述 Cookie 和相关标头, Set-Cookie 和 Cookie 来了解它们是什么.

You can read the RFC describing Cookies and the related headers, Set-Cookie and Cookie to understand what they are.

可以通过Servlet的第7章 Specification 如果你想详细了解 Cookies 和 Sessions 的关系.

You can go through Chapter 7 of the Servlet Specification if you want to understand in detail how Cookies and Sessions are related.

您首先需要了解 HTTP 是一种无状态协议.这意味着客户端发出的每个请求都与任何先前或未来的请求无关.但是，作为用户，我们非常希望在与 Web 应用程序交互时获得某种状态.例如，银行应用程序只希望您能够查看和管理您的交易.音乐流媒体网站可能希望根据您已经听到的内容推荐一些好的节拍.

You first need to understand that HTTP is a stateless protocol. This means that each request that a client makes has no relation to any previous or future requests. However, as users, we very much want some state when interacting with a web application. A bank application, for example, only wants you to be able to see and manage your transactions. A music streaming website might want to recommend some good beats based on what you've already heard.

为了实现这一点，引入了Cookie 和Session 概念.Cookie 是键值对，但具有特定格式(请参阅链接).会话是服务器端实体，用于存储跨越服务器和客户端之间的多个请求/响应的信息(在内存中或持久化).

To achieve this, the Cookie and Session concepts were introduced. Cookies are key-value pairs, but with a specific format (see the links). Sessions are server-side entities that store information (in memory or persisted) that spans multiple requests/responses between the server and the client.

Servlet HTTP 会话使用名为 JSESSIONID 的 cookie 和标识会话的值.

The Servlet HTTP session uses a cookie with the name JSESSIONID and a value that identifies the session.

Servlet 容器保存了一个 HttpSession 对象和这些标识符.当客户端第一次发出请求时，服务器会创建一个具有唯一标识符的 HttpSession 对象并将其存储在其映射中.然后在响应中添加一个 Set-Cookie 标头.它将 cookie 的名称设置为 JSESSIONID，并将其值设置为它刚刚创建的标识符.

The Servlet container keeps a map (YMMV) of HttpSession objects and these identifiers. When a client first makes a request, the server creates an HttpSession object with a unique identifier and stores it in its map. It then adds a Set-Cookie header in the response. It sets the cookie's name to JSESSIONID and its value to the identifier it just created.

这是服务器使用的最基本的 Cookie.您可以使用您想要的任何信息设置任意数量的它们.Servlet API 使用 HttpServletResponse#addCookie(Cookie) 方法，但您可以使用 HttpServletResponse#addHeader(String, String) 方法.

This is the most basic Cookie that a server uses. You can set any number of them with any information you wish. The Servlet API makes that a little simpler for you with the HttpServletResponse#addCookie(Cookie) method but you could do it yourself with the HttpServletResponse#addHeader(String, String) method.

客户端接收这些 cookie 并可以将它们存储在某个地方，通常是在一个文本文件中.当向服务器发送新请求时，它可以在请求的 Cookie 标头中使用该 cookie 来通知服务器它可能已经完成了先前的请求.

The client receives these cookies and can store them somewhere, typically in a text file. When sending a new request to the server, it can use that cookie in the request's Cookie header to notify the server that it might have done a previous request.

当 Servlet 容器收到请求时，它会提取 Cookie 标头值并尝试使用以下方法从其映射中检索 HttpSession 对象JSESSIONID cookie 中的键.然后将此 HttpSession 对象附加到 Servlet 容器创建并传递给您的 Servlet 的 HttpServletRequest 对象.您可以使用 setAttribute(String, Object) 和 getAttribute(String) 管理状态的方法.

When the Servlet container receives the request, it extracts the Cookie header value and tries to retrieve an HttpSession object from its map by using the key in the JSESSIONID cookie. This HttpSession object is then attached to the HttpServletRequest object that the Servlet container creates and passes to your Servlet. You can use the setAttribute(String, Object) and getAttribute(String) methods to manage state.

这篇关于关于 java web 会话处理如何工作的困惑.使用 servlet api 和 HttpSession 对象揭开 Cookie 和 Header 差异的神秘面纱的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！