Java 中的会话管理是什么?
我在面试的时候也遇到过这个问题。我确实对会话范围和会话范围有很多困惑。 java中的it管理。
在 web.xml 中,我们确实有这样的条目:
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
它实际上表示什么?这是整个项目的范围吗?
还有一点让我困惑的是,如何分离同一个项目中多个请求的会话范围?意味着如果我从 PC 登录我同时从另一台电脑登录,这有区别吗?
另外,另一个令人困惑的事情是浏览器的差异。为什么不同的 Gmail 可以在不同的浏览器中打开? Gmail 可以阻止会话从登录到注销。我们的个人网络是如何维护的?
I have faced this question in my Interview as well. I do have many confusion with Session Scope & it management in java.
In web.xml we do have the entry :
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
What does it indicate actually ? Is it scope of whole project ?
Another point confusing me is how can we separate the session scope of multiple request in the same project? Means if I am logging in from a PC & at the same time I am logging in from another PC, does it differentiate it ?
Also, another confusing thing is the browser difference. Why does the different Gmails possible to open in different browsers ? And Gmail can prevent a session from Login to Logout. How is it maintained with our personal web ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
会话管理不仅限于 Java 和 servlet。大致是这样的:
服务器检查浏览器是否已通过会话 cookie 进行识别(见下文)
3.1。如果服务器不“认识”客户端:
服务器创建一个新的唯一标识符,并将其(大致)放入Map中,作为键,其值是新创建的Session。它还发送包含唯一标识符的 cookie 响应。
浏览器存储包含唯一标识符的会话 cookie(生命周期 = 浏览器实例的生命周期),并在每个后续请求中使用它来唯一地标识自己。
3.2。如果服务器已经认识客户端 - 服务器获取与会话 cookie 中找到的传递的唯一标识符相对应的 Session
现在解决您遇到的一些问题:
会话超时是每个会话映射条目的生存时间,而不是已访问。换句话说,如果客户端在 30 分钟内没有发送请求(根据您的示例),会话映射将删除此条目,即使客户端使用会话 cookie 中的唯一密钥来标识自己,也不会出现任何数据在服务器上。
不同的 gmail(以及任何网站)可以在不同的浏览器中打开,因为会话 cookie 是针对每个浏览器的。也就是说,每个浏览器通过不发送唯一的会话 ID 或发送服务器为其生成的会话 ID 来唯一地标识自己。
从不同 PC 进行的日志记录实际上是相同的 - 您不共享会话 ID
注销实际上是删除服务器上的会话 ID 的条目。
注意:唯一的会话 ID 也可以存储
Session management is not something limited to Java and servlets. Here's roughly how it happens:
The server checks whether the browser has identified with the session cookie (see below)
3.1. if the server doesn't 'know' the client:
the server creates a new unique identifier, and puts it in a Map (roughly), as a key, whose value is the newly created Session. It also sends a cookie response containing the unique identifier.
the browser stores the session cookie (with lifetime = the lifetime of the browser instance), containing the unique identifier, and uses it for each subsequent request to identify itself uniquely.
3.2. if the server already knows the client - the server obtains the Session corresponding to the passed unique identifier found in the session cookie
Now onto some the questions you have:
the session timeout is the time to live for each session map entry without being accessed. In other words, if a client does not send a request for 30 minutes (from your example), the session map will drop this entry, and even if the client identifies itself with the unique key in the session cookie, no data will be present on the server.
different gmails (and whatever site) can be opened in different browsers because the session cookie is per-browser. I.e. each browser identifies itself uniquely by either not sending the unique session id, or by sending one the server has generated for it.
logging from different PCs is the same actually - you don't share a session id
logging-out is actually removing the entry for the session id on the server.
Note: the unique session id can alternatively be stored:
会话的生命周期。如果客户端和服务器之间 30 分钟没有事务,会话就会过期(根据代码段)
是有应用范围的。为每个 Web 应用程序定义
是的。会话 ID(Apache Tomcat 的 JSESSIONID)将会不同。
同一用户从不同浏览器的每次登录都是一个不同的会话。并且在一个浏览器中设置的cookie不会影响另一个浏览器中的cookie。因此不同的 Gmail 实例可以在不同的浏览器中使用。
持久 cookie
The lifetime of a session. The session expires if there is no transaction between the client and the server for 30 minutes (per the code segment)
It has application scope. Defined for each web application
Yes. The session ids (JSESSIONID for Apache Tomcat) will be different.
Each login by the same user from a different browser is a different session altogether. And the cookies set in one browser will not affect in another. So different Gmail instances are possible in different browsers.
Persistent cookies
Java 中的 Servlet 有一个 HttpSession 对象,您可以使用它来存储用户的状态信息。会话在客户端上通过 cookie (JSESSIONID) 进行管理,或者可以使用 URL 重写来完成。会话超时描述了服务器在最后一个请求之后在删除存储在 HttpSession 中的状态信息之前等待的时间。
范围是每个浏览器实例,因此在示例中,从两个不同的电脑登录将产生两个会话对象。
Servlets in Java have an HttpSession object which you can use to store state information for a user. The session is managed on the client by a cookie (JSESSIONID) or can be done using URL rewrites. The session timeout describes how long the server will wait after the last request before deleting the state information stored in a HttpSession.
The scope is per browser instance, so in the example you give logging in from two different pcs will result in two session objects.
如果您在不同的窗口中打开相同的应用程序,我的意思是浏览器的多个实例,它将为每个实例创建不同的会话。
if you open the same application in different window i mean multiple instance of a browser it will create different session for every instance.
我推荐Apache Shiro进行会话管理、身份验证和授权。我收回它。
正如@BalusC 下面所评论的,只有 servlet 容器负责管理 http 会话。 Shiro只是用这个。它将通过您显式定义的过滤器挂钩到 HttpSession。
I recommand Apache Shiro for session management,Authentication and authorization.I take it back.
As @BalusC commeneted below, only servlet container is in charge of managing the http session. Shiro is just using that. It will hook to HttpSession via a filter you explicitly define.
我们有 4 种方法来管理会话。
1.Cookies
2.URL重写
3.隐藏表单字段
4.HTTP会话
第四种功能强大并且现在最常用。
we have 4 ways to manage a session.
1.Cookies
2.URL rewriting
3.Hidden form fields
4.HTTP session
the fourth one is powerful and mostly used now-a-days.