Java 会话管理的最佳选择 [英] Best option for Session management in Java
问题描述
在 Java 中管理会话的最佳方式.我听说 cookie 不是可靠的选项,因为它们被存储到浏览器中,以后可以访问?这个对吗?如果可能,请提供编码示例的答案.
Best way managing session in Java. I heard that cookies are not reliable option for this as they gets stored into browser and can be accessed later on? Is this correct? If possible please come up with the answers with the coding example.
哪个最好:
- URL 重写:服务器会在 URL 链接的末尾添加一个额外的参数
- 表单中的隐藏参数:服务器将在 HTML 中的每个表单中添加一个附加参数
- cookie:服务器会要求浏览器维护一个cookie.
- URL Rewriting: Server will add an additional parameter at the end of URL link
- Hidden parameter in Form: server will add an additional parameter at every form in HTML
- cookie: Server will ask browser to maintain a cookie.
推荐答案
会话管理(客户端识别、cookie 处理、保存会话范围数据等)基本上已经由应用服务器自己完成了.你根本不需要担心它.您可以通过 HttpSession#setAttribute() 和 #getAttribute().对于客户端不支持 cookie 的情况,您真正需要处理的唯一事情是 URL 重写.然后它将一个 jsessionid 标识符附加到 URL.在 JSP 中你可以使用 JSTL 的 c:url 为此.在 Servlet 中,您可以使用 HttpServletResponse#encodeURL() 为此.这样服务器就可以通过读取新的请求 URL 来识别客户端.
The session management (client identification, cookie handling, saving session scoped data and so on) is basically already done by the appserver itself. You don't need to worry about it at all. You can just set/get Java objects in the session by HttpSession#setAttribute() and #getAttribute(). Only thing what you really need to take care of is the URL rewriting for the case that the client doesn't support cookies. It will then append a jsessionid identifier to the URL. In the JSP you can use the JSTL's c:url for this. In the Servlet you can use HttpServletResponse#encodeURL() for this. This way the server can identify the client by reading the new request URL.
您的新问题可能是但是 cookie 与此有何关联?服务器是如何做到这一切的?".嗯,答案是这样的:如果服务器收到来自客户端的请求并且服务器端代码(您的代码)试图获取 HttpSession 来自 HttpServletRequest#getSession() 而还没有创建(第一个请求在新会话中),服务器将自己创建一个新会话.服务器将生成一个长的、唯一的且难以猜测的 ID(您可以通过 HttpSession#getId()) 并将此 ID 设置为名称为 的 cookie 的值jsessionid.在引擎盖下,服务器使用 HttpServletResponse#addCookie() 为此.最后,服务器将所有会话存储在某种 Map 中,会话 ID 为键,HttpSession 为值.
Your new question shall probably be "But how are cookies related to this? How does the server do it all?". Well, the answer is this: if the server receives a request from a client and the server side code (your code) is trying to get the HttpSession by HttpServletRequest#getSession() while there's no one created yet (first request in a fresh session), the server will create a new one itself. The server will generate a long, unique and hard-to-guess ID (the one which you can get by HttpSession#getId()) and set this ID as a value of the cookie with the name jsessionid. Under the hood the server uses HttpServletResponse#addCookie() for this. Finally the server will store all sessions in some kind of Map with the session ID as key and the HttpSession as value.
根据 HTTP cookie 规范,客户端需要发送相同的 cookie回到后续请求的标头中.在后台,服务器将通过 HttpServletRequest#getCookies() 并确定其值.通过这种方式,服务器能够获取关联的 HttpSession 并在每次调用 HttpServletRequest#getSession() 时将其返回.
According to the HTTP cookie spec the client is required to send the same cookies back in the headers of the subsequent request. Under the hood the server will search for the jsessionid cookie by HttpServletRequest#getCookies() and determine its value. This way the server is able to obtain the associated HttpSession and give it back by every call on HttpServletRequest#getSession().
重点:唯一存储在客户端的是会话 ID(具有 cookie 的风格),并且 HttpSession 对象(包括其所有属性)存储在服务器端(在 Java 的内存中).您无需担心自己的会话管理,也无需担心安全性.
To the point: the only thing which is stored in the client side is the session ID (in flavor of a cookie) and the HttpSession object (including all of its attributes) is stored in the server side (in Java's memory). You don't need to worry about session management youself and you also don't need to worry about the security.
这篇关于Java 会话管理的最佳选择的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
