Servlet 中的会话 ID 管理

发布于 2024-08-03 17:34:52 字数 786 浏览 5 评论 0原文

我在使用 Jmeter 进行性能测试时,我的 Web 应用程序遇到了一些问题。我的问题不是围绕 Jmeter,而是围绕简单的 Servlet 会话管理行为。

因此,我们有一个 Web 应用程序,当您请求登录页面时,它会在响应标头中传回“会话 ID”,并用于浏览器发出的后续请求。会话 ID 与用户名和密码一起传递,如果经过身份验证,则会返回新的会话 ID,并使用该会话 ID 继续维护会话。 这是使用cookie。

现在,在 Jmeter 中,我们有一种基于线程的负载测试方法。当我并行运行线程时,本质上发生的是每个线程请求一个登录页面,并且不知何故只有最后一个请求登录页面的线程经过身份验证,因为我觉得后续登录页面在 cookie 中带有新的会话 ID,会使旧的或其他会话 ID。

尽管每个线程都是不同的会话并且有自己的 cookie 管理器,但事实还是如此。这很奇怪。

然而我的问题是:

  1. 登录页面附带会话 ID 是否有意义?我发现会话可能是在访问应用程序后立即创建的,但是,是什么设置了一个带有会话 id 的新 cookie 呢?这个应用程序已经编写好了,所以我只是想知道。

  2. 如果每个线程的会话 ID 在 jmeter 中被覆盖,这是否意味着我无法正确分配单独的 cookie 管理器?另外,即使线程是不同的会话,旧的会话 ID 或 cookie 是否有可能被丢弃?

服务器如何知道使后续请求的会话 id/cookie 无效?我确信,这不是请求者的 IP 地址的基础,因为不同的浏览器仍然允许我打开并行的多个会话。

任何关于这个问题的想法、澄清和说明将不胜感激。

I am having some issues with my web application while doing a performance test with Jmeter. My question is not around Jmeter instead, it's around a simple Servlet session management behavior.

So we have a web application, where in when you request a login page, it passes back a "Session Id" in response headers and that is used for subsequent request made by browser. Session Id is passed along with username and password and if authenticated a new session id is returned and session is maintained with that session id going ahead.
This is using cookies.

Now in Jmeter we have a thread based approach for load testing. When I run threads parallely what is essentially happening is that each thread request a login page and somehow only the last thread to request login page is authenticated as I feel that subsequent login page that comes with a new session id in cookie, invalidates the old or other session ids.

This is inspite of the fact that each thread is a different session and has it's own cookie manager. It's quite wierd.

However my questions are:

  1. Does it make sense to have session id coming with login page; I see that maybe session is created as soon as application is accessed, but is it that, what sets a new cookie with session id? This application was already written so I am just wondering.

  2. If each thread's session id is being overriden in jmeter does that mean, that i am not able to allocate a seperate cookie manager properly? Also even if threads are different sessions is there a possibility, old session id or cookie would be discarded?

How would Server know to invalidate the session id/cookie for subsequent requests? I am sure, not basis of IP address of requestor, as different browsers would still let me open parallel multiple sessions.

Any ideas, clarifications and light on the issue would be much appreciated.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

娇纵 2024-08-10 17:34:52

服务器只会使会话超时,这听起来肯定像是您在此处过度写入 cookie。

您是否尝试过通过在 url 中包含会话 ID 来了解它是如何进行管理的(模拟在浏览器中禁用 cookie)这是否有效?

Server will just timeout the session it definitely sounds like you are over writing cookies here.

Have you tried seeing how it manages by including session ids in the url (simulate cookies being disabled in the browser) Does this work?

月竹挽风 2024-08-10 17:34:52

这个问题已经解决了吗?
我想说的是,在登录页面中有一个会话 ID 是很不寻常的。会话用于存储服务器端的数据并将该数据关联到连接的用户。当然,在对用户进行身份验证之前,服务器端不应该有任何数据。

Has this been solved at all?
I would say that having a session id in the login page is quite unusual. Session are meant for storing data server side and associate that data to connected users. Of course, prior to authenticate the user, there shouldn't be any data server side.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文