Shulou(Shulou.com)06/02 Report--

How to use Session after disabling Cookie, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

Session expires after the browser is closed

In fact, in essence, after the browser is closed, the corresponding SessionCookie of the application is cleared, and when the browser requests the application again, the corresponding Cookie of the previous SessionId does not exist, so a new Session will be created. In fact, the original Session of the server still exists, but there is no one corresponding to it, so it is silently waiting for the timeout to be cleared.

As for Cookie, we all know that the browser saves the client locally, leaving aside security issues, but Cookie can be turned off after configuration in the browser. After shutting down, the server can no longer write Cookie to the browser, and we have a problem with our SessionCookie-based implementation.

Although every time Set-Cookie is still added to header through response, Cookie cannot be written when it is sent to the browser, and the subsequent request is still a request with sessionId as null, resulting in the re-creation of the session object each time, which does not solve the problem of interaction status.

To solve this problem, the server provides another way:

URL rewriting, that is, URLrewrite in English.

In essence, this method is a parameter similar to jsessionid=xxxx on the append after the url of each request. When the server parses, the corresponding value of jsessionid is obtained, and the corresponding Session object is obtained according to it, thus ensuring the consistency of the interaction state.

It will be clear in a word.

But behind this sentence, there are some things that need to be noticed.

For example, we can write the id value of jsessionid= 's current session after url ourselves. This is similar to hard coding, because the server acquires the id of the session through the parameter name jsessionid, which we learned in the previous article is configurable, and when changed, the later sessionId is not available.

Secondly, in order to ensure the consistency of all kinds of url rules, the server provides response API to deal with it, and you only need to use it directly to complete the parameter append of jsessionid.

/ * *

* Encode the session identifier associated with this response

* into the specified URL, if necessary.

*

* @ param url URL to be encoded

, /

@ Override

Public String encodeURL (String url) {

String absolute

Try {

Absolute = toAbsolute (url)

} catch (IllegalArgumentException iae) {

/ / Relative URL

Return url

}

If (isEncodeable (absolute)) {/ / the key is here.

/ / W3c spec clearly said

If (url.equalsIgnoreCase ("")) {

Url = absolute

} else if (url.equals (absolute) & &! hasPath (url)) {

Url + ='/'

}

Return (toEncoded (url, request.getSessionInternal (). GetIdInternal ()

} else {

Return (url)

}

}

Let's look at the implementation logic in the code:

/ * *

* Return true if the specified URL should be encoded with

* a session identifier. This will be true if all of the following

* conditions are met:

*

* The request we are responding to asked for a valid session

* The requested session ID was not received via a cookie

* The specified URL points back to somewhere within the web

* application that is responding to this request

*

*

* @ param location Absolute URL to be validated

, /

Protected boolean isEncodeable (final String location) {

If (location = = null) {

Return (false)

}

/ / Is this an intra-document reference?

If (location.startsWith ("#")) {

Return (false)

}

/ / Are we in a valid session that is not using cookies?

Final Request hreq = request

Final Session session = hreq.getSessionInternal (false)

If (session = = null) {

Return (false)

}

If (hreq.isRequestedSessionIdFromCookie ()) {

Return (false)

}

/ / Is URL encoding permitted

If (! hreq.getServletContext (). GetEffectiveSessionTrackingModes (). Contains (SessionTrackingMode.URL)) {

Return false

}

Return doIsEncodeable (hreq, session, location)

}

The code will decide whether to continue based on whether or not to use SessionCookie

It will then inherit to determine which Session tracking Mode is available and whether it includes URL.

In the doIsEncodeable method, the final implementation is this line of code

String tok = ";" +

SessionConfig.getSessionUriParamName (request.getContext ()) +

"=" + session.getIdInternal ()

That's why it's not good to hard-code jsessionid to url as we mentioned above, and here we are reading its configuration.

Public static String getSessionUriParamName (Context context) {

String result = getConfiguredSessionCookieName (context)

If (result = = null) {

Result = DEFAULT_SESSION_PARAMETER_NAME

}

Return result

}

In addition, the Session tracking Mode we mentioned above is judged when Tomcat starts, and it is impossible for the server to know which browsers to connect in the future do not allow Cookie, so Sesion tracking mode,URL can be used anyway, and whether Session cookie should be used is prohibited by configuring its cookies attribute to false in the Context component.

Private void populateSessionTrackingModes () {

/ / URL re-writing is always enabled by default

DefaultSessionTrackingModes = EnumSet.of (SessionTrackingMode.URL)

SupportedSessionTrackingModes = EnumSet.of (SessionTrackingMode.URL)

If (context.getCookies ()) {/ / read the cookies configuration of the Context component here. If it is false, SessionCookie is not used.

DefaultSessionTrackingModes.add (SessionTrackingMode.COOKIE)

SupportedSessionTrackingModes.add (SessionTrackingMode.COOKIE);}

To sum up, in order to prevent the inconsistent state of Session caused by disabling Cookie on the client, we can use UrlRewrite to ensure it.

In this process, we can use response's encodeURL method to add sessionid to url, but first declare in the Context component that cookies is not used.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.