关于java web session handeling如何工作的困惑。使用servlet api和HttpSession对象揭开Cookie和标头差异的神秘面纱 [英] Confusion about how java web session handeling works. Demystifying Cookies and Header differences using servlet api and HttpSession object

问题描述

我正在学习Spring安全性和Spring MVC，但我意识到我需要首先学习jsp Servlets并在java环境中学习一般的Web编程。

I am learning Spring security and Spring MVC, but I realized I needed to learn jsp Servlets first and general web programming in a java environment.

我对HttpServletRequest和HttpServletResponse对象存在困惑，以及它们如何用于向请求和响应对象添加标头以及它们与会话的关系。

I have confusions surrounding the HttpServletRequest and HttpServletResponse objects and how they can be used to add headers to the request and response objects and how they relate to sessions.

据我所知，cookie是一种类型的标题，就像Content-type和Accept一样。
java servlet api通过使用特定于使用标头的上下文的方法，可以很容易地使用标头。例如：

As far as I understand, a cookie is a type of header just like Content-type and Accept. The java servlet api just makes it easy to work with the header by using methods specific to the context in which the header is being used. For example:

response.setContentType(String mimeType)
response.setContentLength(int lengthInBytes)

我的混乱从这里开始.. Cookie不是String或int，它是一个对象：

My confusion starts here.. Cookie is not a String or int, its a object:

response.addCookie(Cookie cookie)
response.getCookies()

由于cookie是一种标题，我不能只使用这样的东西：

Since a cookie is a type of header, can't I just use something like this:

String cookieVal = response.getHeader("cookie")

我很难理解会话管理及其与HttpServletRequest和HttpServletResponse API的关系。什么是HttpSession对象？

I'm having difficulty understanding session management and how it relates to the HttpServletRequest and HttpServletResponse API.. What is the HttpSession object for?

HttpSession.getAttribute() // What is this getting??
HttpSession.setAttribute("Bla Bla", "valuetoset") // What is this setting?

推荐答案

你可以阅读描述Cookie及相关标题的RSS， Set-Cookie 和 Cookie 了解它们是什么。

You can read the RFC describing Cookies and the related headers, Set-Cookie and Cookie to understand what they are.

你可以通过 Servlet 规范的第7章，如果你想详细了解Cookie和会话的方式是相关的。

You can go through Chapter 7 of the Servlet Specification if you want to understand in detail how Cookies and Sessions are related.

您首先需要了解HTTP是无状态协议。这意味着客户端发出的每个请求与任何先前或将来的请求无关。但是，作为用户，我们在与Web应用程序交互时非常需要某种状态。例如，银行应用程序只希望您能够查看和管理您的交易。音乐流媒体网站可能希望根据您已经听过的内容推荐一些好的节拍。

You first need to understand that HTTP is a stateless protocol. This means that each request that a client makes has no relation to any previous or future requests. However, as users, we very much want some state when interacting with a web application. A bank application, for example, only wants you to be able to see and manage your transactions. A music streaming website might want to recommend some good beats based on what you've already heard.

为实现这一目标， Cookie 和会话概念介绍了。 Cookie是键值对，但具有特定格式（请参阅链接）。会话是服务器端实体，用于存储跨服务器和客户端之间的多个请求/响应的信息（在内存中或持久化）。

To achieve this, the Cookie and Session concepts were introduced. Cookies are key-value pairs, but with a specific format (see the links). Sessions are server-side entities that store information (in memory or persisted) that spans multiple requests/responses between the server and the client.

Servlet HTTP会话使用名称为 JSESSIONID 和标识会话的值。

The Servlet HTTP session uses a cookie with the name JSESSIONID and a value that identifies the session.

Servlet 容器保存 HttpSession 对象和这些标识符。当客户端首先发出请求时，服务器会创建一个带有唯一标识符的 HttpSession 对象，并将其存储在其映射中。然后在响应中添加 Set-Cookie 标头。它将cookie的名称设置为 JSESSIONID ，并将其值设置为刚刚创建的标识符。

The Servlet container keeps a map (YMMV) of HttpSession objects and these identifiers. When a client first makes a request, the server creates an HttpSession object with a unique identifier and stores it in its map. It then adds a Set-Cookie header in the response. It sets the cookie's name to JSESSIONID and its value to the identifier it just created.

这是服务器使用的最基本的Cookie。您可以根据需要设置任意数量的任意数量。使用 Servlet API可以让您更加简单http / HttpServletResponse.html #addCookie％28javax.servlet.http.Cookie％29> HttpServletResponse #addCookie（Cookie） 方法但你可以自己做 HttpServletResponse #addHeader（String，String） 方法。

This is the most basic Cookie that a server uses. You can set any number of them with any information you wish. The Servlet API makes that a little simpler for you with the HttpServletResponse#addCookie(Cookie) method but you could do it yourself with the HttpServletResponse#addHeader(String, String) method.

客户端收到这些cookie并可以存储他们在某处，通常是在文本文件中。向服务器发送新请求时，它可以在请求的 Cookie 标头中使用该cookie，以通知服务器它可能已完成先前的请求。

The client receives these cookies and can store them somewhere, typically in a text file. When sending a new request to the server, it can use that cookie in the request's Cookie header to notify the server that it might have done a previous request.

当 Servlet 容器收到请求时，它会提取 Cookie 标头值并尝试使用 JSESSIONID cookie中的密钥从其映射中检索 HttpSession 对象。然后将此 HttpSession 对象附加到 HttpServletRequest 对象 Servlet 容器创建并传递给的Servlet 。您可以使用 setAttribute（String，Object） 和 getAttribute（String） 管理状态的方法。

When the Servlet container receives the request, it extracts the Cookie header value and tries to retrieve an HttpSession object from its map by using the key in the JSESSIONID cookie. This HttpSession object is then attached to the HttpServletRequest object that the Servlet container creates and passes to your Servlet. You can use the setAttribute(String, Object) and getAttribute(String) methods to manage state.

这篇关于关于java web session handeling如何工作的困惑。使用servlet api和HttpSession对象揭开Cookie和标头差异的神秘面纱的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！