什么是会话?
会话可简单理解为:用户开一个浏览器,点击多个超链接,访问服务器多个web资源,然后关闭浏览器,整个过程称之为一个会话。会话过程中要解决的一些问题?
每个用户在使用浏览器与服务器进行会话的过程中,不可避免各自会产生一些数据,程序要想办法为每个用户保存这些数据。
例如:用户点击超链接通过一个servlet购买了一个商品,程序应该想办法保存用户购买的商品,以便于用户点结帐servlet时,结帐servlet可以得到用户购买的商品为用户结帐。
思考:用户购买的商品保存在request或servletContext中行不行?
不行,如果保存在request对象中的声明周期很短,一个请求完了对象就消失了;servletContext中保存的是全局应用数据,也不适合来保存每个用户的数据。
保存会话数据的两种技术Cookie
Cookie是客户端技术,程序把每个用户的数据以cookie的形式写给用户各自的浏览器。当用户使用浏览器再去访问服务器中的web资源时,就会带着各自的数据去。这样,web资源处理的就是用户各自的数据了。
Session
Session是服务器端技术,利用这个技术,服务器在运行时可以为每一个用户的浏览器创建一个其独享的session对象,由于session为用户浏览器独享,所以用户在访问服务器的web资源时,可以把各自的数据放在各自的session中,当用户再去访问服务器中的其它web资源时,其它web资源再从用户各自的session中取出数据为用户服务。
Cookie API
javax.servlet.http.Cookie类用于创建一个Cookie,response接口中定义了一个addCookie方法,它用于在其响应头中增加一个相应的Set-Cookie头字段。 同样,request接口中也定义了一个getCookies方法,它用于获取客户端提交的Cookie。
Cookie API文档如下:
Cookie类的方法:
- public Cookie(String name,String value)
- setValue与getValue方法
- setMaxAge与getMaxAge方法 (秒)
- setPath与getPath方法
- setDomain与getDomain方法
- getName方法
Cookie细节
- 一个Cookie只能标识一种信息,它至少含有一个标识该信息的名称(NAME)和设置值(VALUE)。
- 一个WEB站点可以给一个WEB浏览器发送多个Cookie,一个WEB浏览器也可以存储多个WEB站点提供的Cookie。
- 浏览器一般只允许存放300个Cookie,每个站点最多存放20个Cookie,每个Cookie的大小限制为4KB。
- 如果创建了一个cookie,并将他发送到浏览器,默认情况下它是一个会话级别的cookie(即存储在浏览器的内存中),用户退出浏览器之后即被删除。若希望浏览器将该cookie存储在磁盘上,则需要使用maxAge,并给出一个以秒为单位的时间。将最大时效设为0则是命令浏览器删除该cookie。
注意,删除cookie时,path必须一致,否则不会删除。将Cookie的maxAge设置为0后不要忘了写回Cookie。
如何向客户端写一个cookie:
HttpServletResponse.addCookie(javax.servlet.http.Cookie)
注:每个服务器只能存放20 cookie(稀有),浏览器端最多能存放300cookie, 每个cookie的大小不能超过4Kb
服务器如何获取客户端带来的cookie:
HttpServletRequest.getCookies()
注:不同网站向同一个客户端写的cookie的名称一致,可以通过cookie的path属性进行区分
cookie的默认存活时间是会话范围。
Cookie应用案例
1、显示用户上次访问时间
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Date;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
//记住用户上次访问的时间
public class CookieDemo1 extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
out.print("您上次访问的时间是:");
//获取客户端提交的指定的cookie lastAccessTime=321874983274329
Cookie cookies[] = request.getCookies();//会获取此路径下的cookie http://localhost:8080/day06/servlet/
for(int i=0;cookies!=null&&i<cookies.length;i++){
if(cookies[i].getName().equals("lastAccessTime")){
//有上次访问时间的cookie
String value = cookies[i].getValue();//得到毫秒值
Date date = new Date(Long.parseLong(value));
out.print(date.toLocaleString());
break;
}
}
//把当前的时间写给客户端
Cookie cookie = new Cookie("lastAccessTime",System.currentTimeMillis()+"");
cookie.setPath(request.getContextPath());// /day06
cookie.setMaxAge(Integer.MAX_VALUE);//设置存活时间
response.addCookie(cookie);
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
删除指定的Cookie,示例代码如下:
import java.io.IOException;
import java.util.Date;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
//删除cookie:lastAccessTime
public class CookieDemo2 extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
//得到指定的cookie,设置它的age为0
Cookie cookies[] = request.getCookies();
for(int i=0;cookies!=null&&i<cookies.length;i++){
if(cookies[i].getName().equals("lastAccessTime")){
cookies[i].setMaxAge(0);
cookies[i].setPath(request.getContextPath());//要与当时设置的路径保持一致,否则可能删除的不是同一个cookie
response.addCookie(cookies[i]);//写回客户端
}
}
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
注意:没有直接remove cookie的API,如果要删除一个Cookie时,将该Cookie的maxAge设置为0,path必须一致,否则不会删除。 最后不要忘了写回Cookie。
2、记住用户名
生成登陆界面代码:
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
//生成登陆页面
//读取指定的cookie
public class CookieDemo3 extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String username = "";
String checked = "";
//获取指定的cookie,改变username和checked的值
Cookie cookies[] = request.getCookies();
for(int i=0;cookies!=null&&i<cookies.length;i++){
Cookie cookie = cookies[i];
if(MyConstant.USERNAME.equals(cookie.getName())){
username = cookie.getValue();
checked = "checked='checked'";
break;
}
}
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
out.print("<html><head><title>登陆</title></head><body>");
out.print("<form action='"+request.getContextPath()+"/servlet/CookieDemo4' method='post'>");
out.print("用户名:<input type='text' name='username' value='"+username+"'/><br/>");
out.print("密码:<input type='password' name='password' value=''/><br/>");
out.print("记住用户名:<input type='checkbox' name='remember' "+checked+"/><br/>");
out.print("<input type='submit' value='登陆'/>");
out.print("</form></body></html>");
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
登陆逻辑处理代码:
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
//完成用户登陆
//根据是否记录用户名来写cookie
public class CookieDemo4 extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String remember = request.getParameter("remember");
String username = request.getParameter("username");
if(remember==null){
//不需要记住:删除cookie username=wzhting
Cookie cookies[] = request.getCookies();
for(int i=0;cookies!=null&&i<cookies.length;i++){
Cookie c = cookies[i];
if(MyConstant.USERNAME.equals(c.getName())){
c.setMaxAge(0);
c.setPath(request.getContextPath());
response.addCookie(c);
break;
}
}
}else{
//记住:写cookie
Cookie cookie = new Cookie(MyConstant.USERNAME,username);
cookie.setMaxAge(Integer.MAX_VALUE);
cookie.setPath(request.getContextPath());
response.addCookie(cookie);
}
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
out.print("登陆成功!欢迎您:"+username);
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
Session
在WEB开发中,服务器可以为每个用户浏览器创建一个会话对象(session对象),注意:一个浏览器独占一个session对象(默认情况下)。因此,在需要保存用户数据时,服务器程序可以把用户数据写到用户浏览器独占的session中,当用户使用浏览器访问其它程序时,其它程序可以从用户的session中取出该用户的数据,为用户服务。
Session和Cookie的主要区别在于:
- Cookie是把用户的数据写给用户的浏览器。
- Session技术把用户的数据写到用户独占的session中。
Session API文档如下:
Session原理
session技术利用了cookie技术,向客户端写了一个name为JSESSIONID,value为session对象的id 的Cookie对象。
Cookie的path:/xxx(Web应用的名称) request.getContextPath()
Cookie的age:负数
思考:
如何实现多个IE浏览器共享同一session?应用:关掉IE后,再开IE,上次购买的商品还在。
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
//http://192.168.1.251:8080/day06/servlet/SessionDemo1?name=wzhting
public class SessionDemo1 extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String name = request.getParameter("name");
HttpSession session = request.getSession();
System.out.println(session.getId());
session.setAttribute("p", name);
//保存cookie
Cookie cookie = new Cookie("JSESSIONID",session.getId());
cookie.setMaxAge(Integer.MAX_VALUE);
cookie.setPath(request.getContextPath());
response.addCookie(cookie);
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
答案:我们手动保存一下Session的Cookie对象即可。
获取Session
HttpServletRequest接口中中定义了获取Session的方法,如下:
HttpSession getSession()
Returns the current session associated with this request, or if the request does not have a session, creates one.
HttpSession getSession(boolean create)
Returns the current HttpSession associated with this request or, if there is no current session and create is true, returns a new session.
If create is false and the request has no valid HttpSession, this method returns null.
To make sure the session is properly maintained, you must call this method before the response is committed. If the container is using cookies to maintain session integrity and is asked to create a new session when the response is committed, an IllegalStateException is thrown.
注意:
关闭浏览器是结束一次会话。但是对于服务器来讲,并不会立刻销毁内存中的session对象。默认的session的存活时间是30分钟。
Session案例
1、使用Session完成简单的购物车功能
商品列表Servlet代码:
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.itheima.cookie.app2.Book;
import com.itheima.cookie.app2.BookDb;
//显示所有的商品
//提供购买链接
public class ShowAllProductsServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
out.print("<h1>本站有以下好书:</h1>");
Map<String, Book> books = BookDb.getAllBooks();
for(Map.Entry<String, Book> me:books.entrySet()){
out.print(me.getValue().getName()+" <a href='"+request.getContextPath()+"/servlet/BuyServlet?id="+me.getKey()+"'>购买</a><br/>");
}
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
购买的Servlet代码:
import java.io.IOException;
import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import com.itheima.cookie.app2.Book;
import com.itheima.cookie.app2.BookDb;
//购买Servlet:把当前商品加入到购物车中
//购物车应在会话范围
public class BuyServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
String id = request.getParameter("id");
Book book = BookDb.findBookById(id);
//将当前买的书加入到购物车
HttpSession session = request.getSession();
List<Book> cart = (List<Book>) session.getAttribute("cart");
if(cart==null){
//没有购物车
cart = new ArrayList<Book>();
cart.add(book);
session.setAttribute("cart", cart);
}else{
//有购物车
cart.add(book);
}
out.print("<a href='/day06/servlet/ShowAllProductsServlet'>继续购物</a><br/><a href='/day06/servlet/ShowCartServlet'>去结算</a>");
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
查看购物车Servlet代码:
import java.io.IOException;
import java.io.PrintWriter;
import java.util.List;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import com.itheima.cookie.app2.Book;
public class ShowCartServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
out.print("您购买了以下商品:");
HttpSession session = request.getSession();
List<Book> cart = (List<Book>) session.getAttribute("cart");
for(Book b:cart){
out.print(b.getName()+"<br/>");
}
out.print("付账");
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
2、Session实现一次性校验码
一次性验证码的主要目的就是为了限制人们利用工具软件来暴力猜测密码。
服务器程序接收到表单数据后,首先判断用户是否填写了正确的验证码,只有该验证码与服务器端保存的验证码匹配时,服务器程序才开始正常的表单处理流程。
生成动态验证码Servlet源码:
import java.awt.Color;
import java.awt.Font;
import java.awt.Graphics;
import java.awt.image.BufferedImage;
import java.io.IOException;
import java.util.Random;
import javax.imageio.ImageIO;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.itheima.util.MD5Util;
public class ImageServlet extends HttpServlet {
private static final int WIDTH = 120;
private static final int HEIGHT = 25;
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
//不要缓存
// response.setHeader("Expires", "-1");
response.setIntHeader("Expires", -1);
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Pragma", "no-cache");
// BufferedImage 代表一副内存图片
// Graphics 代表画笔
// ImageIO 用户输出图片
//1、创建内存图像
BufferedImage image = new BufferedImage(WIDTH,HEIGHT,BufferedImage.TYPE_INT_RGB);
//2、得到属于该图像的画笔
Graphics g = image.getGraphics();
//3、设置画笔颜色:画边框
g.setColor(Color.RED);
g.drawRect(0, 0, WIDTH, HEIGHT);//ctrl+shift+x变大写 +y
// 画背景
g.setColor(Color.YELLOW);
g.fillRect(1, 1, WIDTH-2, HEIGHT-2);
// 画干扰线:9
g.setColor(Color.GREEN);
Random r = new Random();
for(int i=0;i<9;i++)
g.drawLine(r.nextInt(WIDTH), r.nextInt(HEIGHT), r.nextInt(WIDTH), r.nextInt(HEIGHT));
// 画验证码:4(数字 随机的)
g.setColor(Color.RED);
g.setFont(new Font("宋体", Font.BOLD|Font.ITALIC, 16));
int x = 25;
StringBuffer sb = new StringBuffer();
for(int i=0;i<4;i++){
int num = r.nextInt(10);
g.drawString(num+"", x, 15);
x+=20;
sb.append(num);
}
//将验证码放入session中
String code = sb.toString();//1234
//加密后放:md5
code=MD5Util.encode(code);
request.getSession().setAttribute("code", code);
//4、输出图片
ImageIO.write(image, "JPEG", response.getOutputStream());
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
登陆界面html代码:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>login.html</title>
<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
<meta http-equiv="description" content="this is my page">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<!--<link rel="stylesheet" type="text/css" href="./styles.css">-->
</head>
<body>
<form action="/day06/servlet/LoginServlet1" method="post">
用户名:<input type="text" name="username"/><br/>
密码:<input type="password" name="password"/><br/>
验证码:<input type="text" name="code"/><img src="/day06/servlet/ImageServlet"/><br/>
<input type="submit" value="登陆"/>
</form>
</body>
</html>
处理用户登陆逻辑的Servlet代码:
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import com.itheima.session.app2.User;
import com.itheima.util.MD5Util;
public class LoginServlet1 extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
//验证用户名和密码是否正确(略)
request.setCharacterEncoding("UTF-8");
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
//把当前登陆用户放入session中
String username = request.getParameter("username");
String password = request.getParameter("password");
String code = request.getParameter("code");//明文1234
String scode = (String)request.getSession().getAttribute("code");//指纹jdskflkdsjfewoir
if(!scode.equals(MD5Util.encode(code))){
out.print("对不起!验证码不正确");
return;
}
User u = new User();
u.setUsername(username);
u.setPassword(password);
HttpSession session = request.getSession();
session.setAttribute("user", u);
//提示登陆成功,2秒后转向主页
response.setHeader("Refresh", "2;URL=/day06/servlet/IndexServlet1");
out.print("恭喜登陆成功!2秒后会自动转向主页");
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
登陆成功页面Servlet源码:
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import com.itheima.session.app2.User;
public class IndexServlet1 extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
HttpSession session = request.getSession();
User u = (User)session.getAttribute("user");
out.print("欢迎您:"+u.getUsername()+".这是主页");
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
MD5加密工具类代码:
import java.security.MessageDigest;
import sun.misc.BASE64Encoder;
public class MD5Util {
public static String encode(String value){
try{
MessageDigest md = MessageDigest.getInstance("md5");
byte b[] = md.digest(value.getBytes());//按照MD5算法拿到的数据指纹。不同数据的指纹不同
//Base64编码:把没有对应字符的二进制转成可见的字符
BASE64Encoder base64 = new BASE64Encoder();
return base64.encode(b);
}catch(Exception e){
throw new RuntimeException(e);
}
}
public static void main(String[] args) {
String s1 = "1";
System.out.println(encode(s1));
}
}
3、Session防止表单重复提交
表单页面由servlet程序生成,servlet为每次产生的表单页面分配一个唯一的随机标识号,并在FORM表单的一个隐藏字段中设置这个标识号,同时在当前用户的Session域中保存这个标识号。
当用户提交FORM表单时,负责处理表单提交的serlvet得到表单提交的标识号,并与session中存储的标识号比较,如果相同则处理表单提交,处理完后清除当前用户的Session域中存储的标识号。
在下列情况下,服务器程序将拒绝用户提交的表单请求:
- 存储Session域中的表单标识号与表单提交的标识号不同
- 当前用户的Session中不存在表单标识号
- 用户提交的表单数据中没有标识号字段
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.itheima.util.UUIDUtil;
public class ServletDemo0 extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
//生成页面,设置hidden的value。往session中放一个
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
String id = UUIDUtil.genId();
request.getSession().setAttribute("token", id);
out.write("<form action='/day06/servlet/ServletDemo1' method='post'>"+
"用户名:<input type='text' name='username'/><br/>"+
"<input type='hidden' name='token' value='"+id+"'/>"+
"<input type='submit' value='登陆'/></form>");
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
处理表单请求的Servlet源码如下:
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class ServletDemo1 extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
request.setCharacterEncoding("UTF-8");
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
String cToken = request.getParameter("token");//页面提交过来的值
HttpSession session = request.getSession();
String sToken = (String) session.getAttribute("token");//session中放的值
if(cToken.equals(sToken)){
System.out.println(request.getParameter("username"));
session.removeAttribute("token");//删除
}else{
out.print("请勿重复提交");
return;
}
// try {
// Thread.sleep(2000);
// } catch (InterruptedException e) {
// e.printStackTrace();
// }
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
IE禁用Cookie后的session处理
有些时候可能客户端禁用了Cookie,这个时候用户购买的商品就会丢失了,怎么解决呢?
解决方案:URL重写
response. encodeRedirectURL(java.lang.String url)
- 用于对sendRedirect方法后的url地址进行重写。
- 用于对表单action和超链接的url地址进行重写