最近对session和cookie有点迷糊,看了马士兵关于session和cookie的视频,记录总结一下。
常用的会话跟踪技术是Cookie与Session,区别是Cookie存储在客户端,而Session存储在服务器端来确定用户身份。
1、 Cookie
Cookie为一小段文本信息,当客户端浏览器访问服务器时,服务器向客户端写入一个Cookie。客户端把Cookie保存起来。下一次再访问服务器时,客户端浏览器把请求的网址连同该Cookie一同提交给服务器,服务器验证该Cookie,就能辨别该用户。
作如下试验:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>Cookies_Session</display-name>
<servlet>
<servlet-name>SetCookies</servlet-name>
<servlet-class>com.test.cookies.SetCookies</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SetCookies</servlet-name>
<url-pattern>/servlet/SetCookies</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>ShowCookies</servlet-name>
<servlet-class>com.test.cookies.ShowCookies</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ShowCookies</servlet-name>
<url-pattern>/servlet/ShowCookies</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>SessionInfoServlet</servlet-name>
<servlet-class>com.test.session.SessionInfoServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SessionInfoServlet</servlet-name>
<url-pattern>/servlet/SessionInfoServlet</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>ShowSession</servlet-name>
<servlet-class>com.test.session.ShowSession</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ShowSession</servlet-name>
<url-pattern>/servlet/ShowSession</url-pattern>
</servlet-mapping>
</web-app>
package com.test.cookies;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* Servlet implementation class SetCookes
*/
@WebServlet("/SetCookes")
public class SetCookies extends HttpServlet {
private static final long serialVersionUID = 1L;
public SetCookies() {
super();
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
for(int i = 0; i < 3; i++) {
// 3个没有设置时间的Cookie,属于本窗口及其子窗口(存在内存)
Cookie cookie = new Cookie("Session-Cookie-" + i, "Cookie-Value-S" + i);
response.addCookie(cookie);
// 以下3个Cookie设置了时间(1小时),属于文本,别的窗口也可以访问到这些Cookie(存在硬盘)
cookie = new Cookie("Persistent-Cookie-" + i, "Cookie-Value-P" + i);
cookie.setMaxAge(3600);
response.addCookie(cookie);
}
response.setContentType("text/html;charset=gb2312");
PrintWriter out = response.getWriter();
String title = "Setting Cookies";
out.println("<html><head><title>设置Cookie</title></head>"
+ "<body>" + title + "<br>"
+ "There are six cookies associates with this page.<br>"
+ "to see them,visit the <a href=\"ShowCookies\">/n"
+ "<code>ShowCookies</code> servlet</a>"
+ "</body></html>");
}
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
this.doGet(request, response);
}
}
试验:
访问http://localhost:8080/Cookies_Session/servlet/SetCookies,设置cookie数据到客户端。
我们在我们本机下能看到我们设置的cookie.
里面记录信息如下:
Persistent-Cookie-0
Cookie-Value-P0
localhost/Cookies_Session/servlet/
1536
2965479296
30602999
1329089495
30602991
*
Persistent-Cookie-1
Cookie-Value-P1
localhost/Cookies_Session/servlet/
1536
2965479296
30602999
1329159499
30602991
*
Persistent-Cookie-2
Cookie-Value-P2
localhost/Cookies_Session/servlet/
1536
2965479296
30602999
1329219503
30602991
*
通过代码显示设置的cookies
package com.test.cookies;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class ShowCookies extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter pw = response.getWriter();
pw.println("<html><head><title></title></head>"
+ "<table border=1 align=center>"
+ "<TH>Cookie Name<TH>Cookie Value" + "<br>");
// 读取客户端的所有Cookie
Cookie[] cookies = request.getCookies();
if(cookies != null) {
Cookie cookie=null;
for(int i = 0; i < cookies.length; i++) {
cookie = cookies[i];
pw.println("<tr>" + "<td>" + cookie.getName() +"</td>"
+ "<td>" + cookie.getValue() +"</td></tr>");
}
}
pw.println("</table><body><html>");
}
}
如果将浏览器关闭,从新打开一个浏览器访问ShowCookies接口,如下:
这是因为SetCookies接口中,有三个cookies是设置了失效时间,这个三个cookie是存储在客户端硬盘上的,而另外三个cookie是没有设置失效时间,这三个cookie属于本窗口和其子窗口,存储在内存中的。
2.session
Session是记录在服务器端的,如果浏览器允许Cookie写入,创建Session的时候把SessionID保存在Cookie里。
如果设置不允许,可以通过URL重写的方式实现Session的记录。
package com.test.session;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Date;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class SessionInfoServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// Returns the current session associated with this request, or if the request does not have a session, creates one.
HttpSession mySession = request.getSession(true);
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String title = "Session Info Servlet";
out.println("<html>");
out.println("<head>");
out.println("<title>Session Info Servlet</title>");
out.println("</head>");
out.println("<body>");
out.println("<h3>Session Infomation</h3>");
// Returns true if the client does not yet know about the session or if the client chooses not to join the session.
out.println("New Session:" + mySession.isNew() + "<br>");
// Returns a string containing the unique identifier assigned to this session.
out.println("Session Id:" + mySession.getId() + "<br>");
// Returns the time when this session was created, measured in milliseconds since midnight January 1, 1970 GMT.
out.println("Session Create Time:" + new Date(mySession.getCreationTime()) + "<br>");
out.println("Session Last Access Time:" + new Date(mySession.getLastAccessedTime()) + "<br>");
out.println("<h3>Request Infomation</h3>");
// Returns the session ID specified by the client.
out.println("Session Id From Request:" + request.getRequestedSessionId() + "<br>");
// Checks whether the requested session ID came in as a cookie.
out.println("Session Id Via Cookie:" + request.isRequestedSessionIdFromCookie() + "<br>");
// Checks whether the requested session ID came in as part of the request URL.
out.println("Session Id Via URL:" + request.isRequestedSessionIdFromURL() + "<br>");
// Checks whether the requested session ID is still valid.
out.println("Valid Session Id:" + request.isRequestedSessionIdValid() + "<br>");
out.println("<a href=" + response.encodeURL("SessionInfoServlet") + ">refresh</a>");
out.println("</body></html>");
out.close();
}
}
首先我们设置浏览器允许cookie的写入:
第一次访问http://localhost:8080/Cookies_Session/servlet/SessionInfoServlet
第一次访问时,是一个新的session,
此时我们访问http://localhost:8080/Cookies_Session/servlet/ShowCookies
可以发现,cookies里存储我们上面设置的session,这说明,Session是通过把sessionid保存在cookies里实现的。
我们再次访问http://localhost:8080/Cookies_Session/servlet/ShowCookies。
可以清晰的看到Sessionid并没有变化,且是通过cookies设置的。
我们设置流量器不支持cookies的情况(实验用的ie浏览器,其他的浏览器自行设置)。
多次访问http://localhost:8080/Cookies_Session/servlet/ShowCookies时,可以发现sessionid是变化的,说明禁用cookie后,是没法保存session会话的。
针对这种情况,可以通过URL重写来解决。
在代码中设置了refresh的链接,这个链接是通过encodeUrl()实现的,点击referesh链接。
URL重写是将session的sessionid拼接到url上,达到记录客户会话。
下面这个实验,可以很好的说明session的机制,如果浏览器没有禁用cookies,多次访问这个url后,会记录这个用户的访问次数,如果浏览器禁用了cookies,每次都是访问都生成一个新的session,相当于一个新用户,访问次数为0.
package com.test.session;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Date;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
/**
* Session追踪
* 如果浏览器支持Cookie,创建Session的时候会把SessionId保存在Cookie中
* 否则必须自己编程使用URL重写的方式实现Session:response.encodeURL()
*
*/
public class ShowSession extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html;charset=utf-8");
PrintWriter out = response.getWriter();
String str = "Session Tracking Example";
String heading;
// 如果会话已经存在,则返回一个HttpSession;否则创建一个新的
HttpSession session = request.getSession(true);
// 从当前session中读取属性accessCount的值
Integer accessCount = (Integer)session.getAttribute("accessCount");
if(accessCount == null) {
accessCount = new Integer(0);
heading = "Welcome new user";
} else {
heading = "Welcome Back!";
accessCount = new Integer(accessCount.intValue() + 1);
}
session.setAttribute("accessCount", accessCount);
out.println("<html><head><title>Session追踪</title></head>"
+ "<body>" + heading + "<br>"
+ "<h2>Information on Your Session</h2><br>"
+ "" + "<table border=1 align=center>"
+ "<TH>Info Type<TH>Value" + "<br>"
+ "<tr>" + "<td>ID</td>"
+ "<td>" + session.getId() +"</td></tr>"
+ "<tr>" + "<td>CreatTime</td>"
+ "<td>" + new Date(session.getCreationTime()) +"</td></tr>"
+ "<tr>" + "<td>LastAccessTime</td>"
+ "<td>" + new Date(session.getLastAccessedTime()) +"</td></tr>"
+ "<tr>" + "<td>Number of Access</td>"
+ "<td>" + accessCount +"</td></tr>"
+ "</body></html>");
}
}