Java中会话管理的最佳选项 [英] Best option for Session management in Java
问题描述
在Java中管理会话的最佳方式。我听说cookie不是可靠的选项,因为它们存储在浏览器,以后可以访问?它是否正确?
Best way managing session in Java. I heard that cookies are not reliable option for this as they gets stored into browser and can be accessed later on? Is this correct? If possible please come up with the answers with the coding example.
这是最好的选择:
- 网址重写:服务器将在网址链接结尾添加一个附加参数
- :服务器将在HTML中的每个表单中添加一个附加参数
- cookie :服务器将要求浏览器维护Cookie。
- URL Rewriting: Server will add an additional parameter at the end of URL link
- Hidden parameter in Form: server will add an additional parameter at every form in HTML
- cookie: Server will ask browser to maintain a cookie.
推荐答案
会话管理(客户端标识,cookie处理,保存会话作用域数据等) )基本上已经由appserver本身完成了。你不需要担心它。您可以通过 HttpSession#setAttribute() 和 #getAttribute code> 。只有在客户端不支持Cookie的情况下,您真正需要关心的是网址重写。然后它将 jsessionid 标识符附加到URL。在JSP中,您可以使用JSTL的 c:url 。在Servlet中,您可以使用 HttpServletResponse#encodeURL() 。这样,服务器可以通过读取新的请求URL来识别客户端。
The session management (client identification, cookie handling, saving session scoped data and so on) is basically already done by the appserver itself. You don't need to worry about it at all. You can just set/get Java objects in the session by HttpSession#setAttribute() and #getAttribute(). Only thing what you really need to take care of is the URL rewriting for the case that the client doesn't support cookies. It will then append a jsessionid identifier to the URL. In the JSP you can use the JSTL's c:url for this. In the Servlet you can use HttpServletResponse#encodeURL() for this. This way the server can identify the client by reading the new request URL.
您的新问题可能是但Cookie与Cookie有何关系?这一切?。嗯,答案是这样的:如果服务器从客户端收到请求,而服务器端代码(您的代码)试图获取 HttpSession 。 com / javaee / 6 / api / javax / servlet / http / HttpServletRequest.html#getSession%28%29rel =nofollow noreferrer> HttpServletRequest#getSession() ,但还没有创建一个(第一个请求在一个新的会话),服务器将创建一个新的本身。服务器将生成一个长的,唯一的和难以猜测的ID(您可以通过 HttpSession#getId() )并将此ID设置为Cookie的值名称为 jsessionid 。在引擎盖下,服务器使用 HttpServletResponse#addCookie() 。最后,服务器将以会话ID作为键和 HttpSession 作为值的某种类型的 Map
Your new question shall probably be "But how are cookies related to this? How does the server do it all?". Well, the answer is this: if the server receives a request from a client and the server side code (your code) is trying to get the HttpSession by HttpServletRequest#getSession() while there's no one created yet (first request in a fresh session), the server will create a new one itself. The server will generate a long, unique and hard-to-guess ID (the one which you can get by HttpSession#getId()) and set this ID as a value of the cookie with the name jsessionid. Under the hood the server uses HttpServletResponse#addCookie() for this. Finally the server will store all sessions in some kind of Map with the session ID as key and the HttpSession as value.
根据 HTTP Cookie规范客户端需要在后续请求的头中发送相同的Cookie。在引擎盖下,服务器将通过 jsessionid http / HttpServletRequest.html#getCookies%28%29rel =nofollow noreferrer> HttpServletRequest#getCookies() 并确定其值。这种方式,服务器能够获得相关的 HttpSession ,并通过 HttpServletRequest#getSession() 。
According to the HTTP cookie spec the client is required to send the same cookies back in the headers of the subsequent request. Under the hood the server will search for the jsessionid cookie by HttpServletRequest#getCookies() and determine its value. This way the server is able to obtain the associated HttpSession and give it back by every call on HttpServletRequest#getSession().
说到这一点:存储在客户端的唯一的事情是会话ID(cookie的风味)和 HttpSession 对象(包括其所有属性)存储在服务器端(在Java的内存中)。
To the point: the only thing which is stored in the client side is the session ID (in flavor of a cookie) and the HttpSession object (including all of its attributes) is stored in the server side (in Java's memory). You don't need to worry about session management youself and you also don't need to worry about the security.
- 使用Java中的过滤器(与数据库联系)验证用户名和密码
- 在Java Web应用程序中的会话过期时如何重定向到登录页面?
- 如何实现保持登录当用户登录到网络应用程序时
- Authenticating the username, password by using filters in Java (contacting with database)
- How to redirect to Login page when Session is expired in Java web application?
- How to implement "Stay Logged In" when user login in to the web application
这篇关于Java中会话管理的最佳选项的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
