在学习了http详解1和2后,自己写了下面的登录的例子;
首次登录系统url:
http://localhost:8081/service/initial.do
InitialControl.java:
package com.spring.controller;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.Controller;
public class InitialControl implements Controller {
@Override
public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
//访问session判断用户是否登录过,没登陆过则去登录页面,否则去欢迎页面
HttpSession session=request.getSession();
if(session.getAttribute("username")!=null&&!session.getAttribute("username").equals(""))
{
return new ModelAndView("success");
}
else
{
return new ModelAndView("login");
}
}
}
login.jsp:
<%@ page language="java" contentType="text/html; charset=utf-8"
pageEncoding="utf-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Insert title here</title>
</head>
<!-- 页面提交后使浏览器不保存该页面输入的文本框的值,防止用户点击退出后,
其他用户利用浏览器后退按钮回到登录页面(页面的用户信息仍然存在)再次登录 -->
<script type="text/javascript">
function clear()
{
var tb=document.getElementById("username");
tb.value='';
var tb=document.getElementById("password");
tb.value='';
}
</script>
<body οnbefοreunlοad="clear();">
<form action="/service/login.do" method="post">
<table>
<tr>
<td>请登陆</td>
<tr>
<td>用户名:</td>
<td><input type='text' name='username' id='username'/></td>
</tr>
<tr>
<td>密码:</td>
<td><input type='text' name='password' id='password'/></td>
</tr>
<tr>
<td><input type='submit' value='提交' /></td>
</tr>
</table>
</form>
</body>
</html>
登录后台代码LoginControl.java:
package com.spring.controller;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.Controller;
public class LoginControl implements Controller {
@Override
public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
String username = (String) request.getParameter("username");
String password = (String) request.getParameter("password");
if(username!=null&&!username.equals(""))
{
//登录成功则记下用户的信息到session中
HttpSession session = request.getSession();
session.setAttribute("username", username);
session.setAttribute("password", password);
session.setMaxInactiveInterval(2 * 3600);//2小时session过期
//添加如下端当浏览器完毕后重新启动浏览器仍然可以自动登录,否则仅用上面一段当浏览器关闭后重新启动时需要重新登录
Cookie cookie = new Cookie("JSESSIONID", session.getId());
cookie.setMaxAge(2 * 3600); // 客户端的JSESSIONID也保存两小时
cookie.setPath("/");
response.addCookie(cookie);
return new ModelAndView("success");
}
else
return new ModelAndView("login");
}
}
欢迎页面success.jsp:
<%@ page language="java" contentType="text/html; charset=utf-8"
pageEncoding="utf-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<!--<META HTTP-EQUIV=REFRESH CONTENT="1; URL=http://localhost:80801/jsp/login.jsp">-->
<title>Insert title here</title>
</head>
<!-- 禁止浏览器缓存该页面,如果用户使用后退按钮企图回到这个页面,则浏览器会重新请求服务器,
但上次的请求信息仍存在会一起发送给服务器从而还是可以避免再次登录,此时需要在页面后台额外添加判断代码来阻止用户访问 -->
<%
response.setHeader("Cache-Control", "no-store");
response.setDateHeader("Expires", 0);
response.setHeader("Pragma", "no-cache");
%>
<body>
welcome!
<br>
<form
action="/service/logout.do" method="post">
<input type='submit' value='注销' />
</form>
</body>
</html>
注销逻辑LogoutControl.java:
package com.spring.controller;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.Controller;
public class LogoutControl implements Controller {
@Override
public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
HttpSession session=request.getSession();
//使session失效,返回登录页面
session.invalidate();
return new ModelAndView("login");
}
}
说明:
1.为了防止其他用户在用户退出后浏览器没关闭的情况下利用后退按钮重新登录系统(应为默认浏览器的后退按钮是不会使浏览器去请求服务端的而是访问浏览器的缓存来显示页面的),需要在login.jsp页面提交后清除用户填写的登录信息;
2.同时在后退到success.jsp页面时,在点击页面的其他操作按钮时需要先核对session信息,如果session为空则跳回登录页面,终止下一步操作。(如果设置了禁止页面缓存也需要这么做,应为此时会提示请求过期,是否重新发送请求,点击是则会将上次的请求参数一并发送,这样仍然不能阻止再次访问)