HTTP 会话跟踪
由于 HTTP 是无状态协议,当客户端向服务器发出多个请求时,服务器如何唯一地标识一段时间内(例如 t1、t2、t3 等)特定客户端的请求。
我浏览网页并遇到了术语例如会话 ID、URL 重写和 cookies。但如果有人以更好的方式解释它,那就太好了。具体来说,HTTP 请求和响应的哪一部分将用于会话跟踪?
Since HTTP is a stateless protocol, when a client makes a number of requests to the server, how does the server uniquely identify a particular client's requests over a period of time say t1, t2, t3..
I browsed the web and came across terms like session id, URL rewriting and cookies. But it would be great if someone explains it in a better way. Specifically which part of the HTTP request and response would be used for session tracking?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
正如您提到的,实现 HTTP 会话跟踪的常见方法包括 URL 重写和 cookie。会话跟踪基本上要求在对服务器的多个请求中维护会话 ID。这意味着每次给定客户端向服务器发出请求时,都会传递相同的会话 ID。服务器可以使用此 ID 来查找其维护的会话信息。
当使用cookie时,服务器通过设置
Set-CookieHTTP响应标头来要求客户端存储cookie。此 cookie 包含分配给该客户端的唯一会话 ID - 在本例中为字符串“ABAD1D”:然后,客户端在每个请求上使用
CookieHTTP 请求标头将 cookie 发送回服务器,并且因此,服务器会在每次请求时获知当前分配给客户端的会话 ID。当使用 URL 重写时,相同的会话 ID 会被发送到 URL 中的某个位置。同样,服务器从 URL 中提取会话 ID,以便可以查找特定客户端的会话:
但是,服务器还必须确保发送回客户端的网页中的任何 URL 也被重写以包含该特定客户端。客户端会话 ID。由于会话 ID 编码在 URL 中,因此这种会话跟踪方法对浏览器来说是透明的。如果服务器发现无法在客户端上设置会话 cookie,则通常会诉诸 URL 重写 - 这意味着客户端不支持/允许 cookie。
请注意,会话可能会过期。这意味着,如果服务器在一段时间内没有“看到”给定的会话 ID,它可能会删除会话数据以保留资源。
As you mentioned, common ways to implement HTTP session tracking include URL rewriting and cookies. Session tracking basically requires that a session ID is maintained across multiple requests to the server. This means that each time a given client makes a request to the server, it passes the same session ID. The server can use this ID to lookup the session information it maintains.
When using cookies, the server asks the client to store a cookie by setting the
Set-CookieHTTP response header. This cookie contains the unique session ID assigned to that client - in this example the string 'ABAD1D':The cookie is then sent back to the server by the client using the
CookieHTTP request header on each request and thus the server is informed on each request the session ID currently assigned to the client.When using URL rewriting, this same session ID is instead sent somewhere in the URL. Again, the server extracts the session ID from the URL so that it can lookup the session for a particular client:
However, the server must also make sure that any URLs in the web pages sent back to the client are also rewritten to contain that particular clients session ID. As the session ID is encoded in the URLs, this method of session tracking is transparent to the browser. Often a server will resort to URL rewriting if it finds it is unable to set a session cookie on the client - implying that the client does not support/allow cookies.
Note that sessions can expire. This means that if the server does not 'see' a given session ID for a period of time, it may remove the session data to preserve resources.
在HTTP响应中,服务器可以设置cookie。它通过 Set-Cookie 标头来实现此目的。例如:
然后,客户端返回与 cookie 一起设置的属性相匹配的所有 cookie 的值,其中可以包括路径(如上所述)和域,并且尚未过期。
cookie 作为 HTTP 标头的一部分发送回服务器。例如:
原始属性信息均不会随 cookie 一起发回。
唯一的 cookie 允许服务器将唯一的密钥与特定的浏览器实例相关联。然后,服务器可以使用该键作为哈希表或保存唯一的每个用户状态信息的数据库表的索引。
In the HTTP response, the server can set a cookie. It does so with the Set-Cookie header. For example:
The client then returns the value of all cookies that match the properties that were set along with the cookie, which can include path (as above) and domain, and that haven't expired yet.
The cookie is sent back to the server as part of the HTTP headers. For example:
None of the original property information is sent back with the cookie.
A unique cookie allows the server to associate a unique key with a particular browser instance. The server can then use that key as an index into a hash table or a database table that holds unique per-user state information.
HTTP 会话是推荐的方法。会话标识会话期间源自同一浏览器的请求。所有 servlet 可以共享同一个会话。 JSESSIONID由服务器生成,可以通过cookie、URL重写(如果cookie关闭)或内置SSL机制传递给客户端。应注意尽量减少会话中存储的对象的大小,并且会话中存储的对象应该是可序列化的。在 Java servlet 中,可以按如下方式获取会话:
HttpSession session = request.getSession(); //返回当前会话或新会话
会话可以超时(在 web.xml 中配置)或手动失效。
HTTP Sessions are the recommended approach. A session identifies the requests that originate from the same browser during the period of conversation. All the servlets can share the same session. The JSESSIONID is generated by the server and can be passed to client through cookies, URL re-writing (if cookies are turned off) or built-in SSL mechanism. Care should be taken to minimize size of objects stored in session and objects stored in session should be serializable. In a Java servlet the session can be obtained as follows:
HttpSession session = request.getSession(); //returns current session or a new session
Sessions can be timed out (configured in web.xml) or manually invalidated.
会话跟踪是服务器端的事情。
Web 服务器发出一些返回到浏览器的会话标识符。浏览器随每个请求一起提交此会话标识符。
这可能是使用 cookie 对用户透明地完成的。
Session tracking is a server side thing.
A web server issues some session identifier that is returned to the browser. Browser submits this session identifier along with each request.
This is probably done using cookies transparently for the user.
在大多数情况下,会话处理是通过向客户端发送 cookie 来处理的。该 cookie 会在该特定客户端的每个请求时发送回服务器。
session id会和服务器端的一些资源(文件、内存空间)相关联,这样服务器通过读取cookie中的session id就可以找到这个资源,然后知道是哪个客户。the session handling is in most case handled by sending a cookie to the client. that cookie would be sent back to the server on every request from that particular client.
The
session idwill be associated with some resources on server side (file,ram space) so the server by reading thesession idin the cookie can find this resource and then know which client it was.HTTP 会话允许 Web 服务器在客户端和我们的应用程序之间的多个请求/响应期间维护用户身份并存储用户特定数据
HTTP Session allows web servers to maintain user identity and store user specific data during multiple request/response between client and we application