Java web-session mechanism

Author: Winter melon learning Java

Blog homepage: ?Winter melon’s homepage

Column: [Java Web]

Share: I think I can get out of this dark night. –Apu Yahong “Cherry Snow”

Main Content: What is a request? What is a session? The location of the session The role of the session object Why do you need a session to save the session state? Why not use request to save information? Why not use ServletContext to save information? Session session saves login status, session implementation principle, session solves the problem of login page layout

Article directory

1. Session concept
- - @ What is a request?
  - @ What is a session?
  - Positioning of @session
  - The role of @session object
  - @ Why do you need session to save session state?
  - @ Why not use request to save information? Why not use ServletContext to save information?
Second, the session session saves the login status
- - 1. If you don’t use session, what’s the problem with logging in?
  - - - @First, how to realize the function of user login
      - @Question: Access to the list page without going through the login page
  - 2. The principle of session implementation
  - - - Can you still find the session if @cookie is disabled?
  - 3. Session solves the login page layout problem

1. Session concept

@ What is a request?

The user clicks on the browser, and then the page is completely displayed and stopped, which can be considered as a request, and the corresponding server-side Java object of the request is: request. A request corresponds to a request.

@ What is a session?

A session is also called a session. Open the browser, and then close the browser after browsing through various operations. This process is called a session. The session also has a corresponding Java object on the server side: session. A session corresponds to a session, and a session contains multiple requests.

Positioning of @ session

The session mechanism is part of the B/S structure. The session mechanism is actually a specification, and the session mechanism will also be used to develop WEB projects in different languages.

The role of the @ session object

Save the session state (if the user logs in successfully, the state of successful login can be saved with the session object)

@ Why do you need session to save session state?

Because Http is a stateless protocol. The stateless protocol means that when the request is made, B and S are connected, and after the request is over, the connection is broken. The purpose of setting it like this is to relieve the pressure on the server side. Because the connection is broken after the request ends, the server does not know when the browser is closed.

@ Why not use request to save information? Why not use ServletContext to save information?

request is a request for one object at a time. Obviously, to save the session, the scope is too small, and a user will have different request objects for multiple requests, so the effect of saving information cannot be achieved.
The ServletContext object is created when the server is started and closed when the server is shut down. For saving sessions, the scope is too large. If it is used, it may appear that after a user logs in, other users do not need to log in again and directly enter the project, because the domain of the ServletContext object is shared by users.
request request domain (HttpServletRequest), session session domain (HttpSession), application application domain (ServletContext). Scope: request .


There are methods in the request request domain, session session domain, and application application domain:
 setAttribute(put data into field)
 getAttribute (get the data in the domain)
 removeAttribute (delete the data in the field).


2. The session saves the login status
1. If you don't use session, what's the problem with logging in? 
@First, how to realize the function of user login

Step 1: Add a user table to the database: t_user
 The user table stores the user's login information, the most basic of which includes the user name and password; the password in the general database will use ciphertext (MD5 encryption) instead of plaintext; insert user information into the t_user table.
 Note: Registering a user is actually inserting user information into the user table. 
Step 2: Implement a landing page.
 There are input boxes for user name and password on the login page. The user clicks to log in, submits the form, submits the user name and password, and submits the form using the "post" method.
Step 3: There must be a corresponding Servlet in the background to handle the login business
 Successful login: jump to the department list page,
 Login failure: Jump to the login failure page.
Step 4: Add another page for login failure.

Login page:
 
 List page:
 
@问题: Can access the list page without going through the login page

For example: In the above two pictures, the first one is the login page, and the second one is the list page. You should have to log in first to jump to the second page, but now, I directly enter the first page in the address bar. The address of the two pages http://localhost:8080/oalogin/dept/list can still perform CRUD operations, which means that login is just a decoration, and CRUD can be performed without logging in first, which is very Danger.
So how to solve it? The session session mechanism can be used. When the user accesses the project, if the current user has logged in, it will be released to the list page, and if not logged in, it will jump to the login page.

2. Principle of session implementation
Key points:
 
 
 Can you still find the session if @cookie is disabled? 

cookie: sessionID is saved in the browser cache in the form of cookie.
Cookie disabled: The server normally sends the cookie to the browser (that is, when the sessionid is responded to the browser after the session is created), the browser rejects it. It's not that the server is down. This will result in every browser request is a new session object.
So the cookie is disabled, can you still find the session?
 Use the URL rewriting mechanism: http://localhost:8080/oa/session;jsession=19D1c99560DCDF84839FA43D5, in this way, developers (WEB side) need to add sessionID after each path, and the development cost high. So most browsers deny access because if you disable cookies, it won't work.

3. Session solves the login page layout problem
Principle: When the same user sends multiple requests:

When requesting for the first time, you need to log in, the user submits the login information, the server creates a session object, then saves the login information, and then responds to the browser with a cookie (including sessionID), and the browser stores the cookie in the cache.
When the browser sends a request in the future, the server will check whether there is any login information of the user in the session according to the sessionid sent by the browser, and then jump to the CRUD page. If there is no user information in the session, it will jump to the login page and proceed to the first step operate.

Replenish:

When accessing jsp, a built-in session object will be created to prevent the method of automatically generating session built-in objects. Add the following tags to jsp:
 <%@ page session="false"%>
 Situation 1: If there is no login and no tag above, then the session is a built-in object of jsp at this time, not empty, but the content in the session domain is empty.
 Situation 2: If you have already logged in and do not add a tag, there will be two sessions, one is a built-in object, and the other is a session created on the server side. The content of the session field is the user login information.
 Case 3: If you have already logged in and added a label, then there is only one session, which is the session created by the server, and the content of the session field is the user login information.
Conditions for judging whether you have logged in: session!=null & amp; & amp; session.getAttribute("username")!=null, under this condition, whether to add or disable automatic session generation in jsp The labels are the same, because if there is no login, there will be no user information in the session domain, and the second judgment condition cannot be passed.
Online banking security exit operation, manually destroy the session object:

HttpSession session = request. getSession();
if(session != null){
    session. invalidate();
}