Forbid Cookie to use Session, Rewrite URL, Specific Solution

Let's first describe the implementation principle of session.

session server provides a memory area for each client to access, which can store some operation information of some clients.

Normally, sessions survive during the process of users accessing the server through the client until the client is shut down and the sessions in the server are destroyed.

Abnormally, the server calls the session.invalidate() method for manual destruction

session depends on cookie s!!!

Without cookie s, the session of the corresponding client cannot be retrieved through request.getSession().

Principle of concrete realization

The first time the client accesses the server, the server returns

In the response header returned by the server, you can see the Set-Cookie field in which JSESSION=94E09A118319882388C08A27A42696DB

94E09A118319882388C08A27A42696DB corresponding ID of session saved for server

When the client visits the other links of the website again (1)

The server's response header will no longer have Set-Cookie fields.

But look at the client's request header (1)

JSESSIONID, a Cookie, is automatically brought with the server to get the session object saved by the client in the server according to the corresponding value of the field.

At this point, the corresponding session object can be obtained by request.getSession().

However, this is based on the fact that the client does not prohibit Cookie, when the client prohibits Cookie, when accessing other links of the server, Cookie will not be carried, what should we do at this time? (*^^*)

One solution: splice the value of jsessionid saved on the client side onto the corresponding url, so that the server can extract the corresponding value of jsessionid by parsing the url, and then get the session instance object saved in the server through this session ID.

The corresponding jsessionid is spelled in by HttpServletResponse, response.encodeURL() method

Now let's talk about the function response.encodeURL().

First, determine whether the client has disabled Cookie, and if not, return the request.getRequestURI() value without splicing the jsessionid.

If you judge that the client has disabled Cookie, you will splice jsessionid=xxx_after request.getContextPath()+"/hello/index"

When accessing the server again, the jsessionid value is spelled on the link.

 

Cookie is disabled by the client, so the Cookie value in the request header is not accompanied by (vi)

Then the corresponding session ID can be obtained through the server parsing the corresponding url, and the corresponding session Id can be queried according to the session Id.

 

Now that the basic principles are almost covered, we present a SpringBoot-based solution for getting session s.

MySessionContext code

package mr.s.javaee.context;

import javax.servlet.http.HttpSession;
import java.util.HashMap;

public class MySessionContext {

    private static MySessionContext instance;
    private HashMap<String,HttpSession> sessionMap;

    private MySessionContext() {
        sessionMap = new HashMap<String,HttpSession>();
    }

    public static MySessionContext getInstance() {
        if (instance == null) {
            instance = new MySessionContext();
        }
        return instance;
    }

    public synchronized void addSession(HttpSession session) {
        if (session != null) {
            sessionMap.put(session.getId(), session);
        }
    }

    public synchronized void delSession(HttpSession session) {
        if (session != null) {
            sessionMap.remove(session.getId());
        }
    }

    public synchronized HttpSession getSession(String sessionID) {
        if (sessionID == null) {
            return null;
        }
        return sessionMap.get(sessionID);
    }
}

SessionListener code

package mr.s.javaee.listener;

import mr.s.javaee.context.MySessionContext;

import javax.servlet.annotation.WebListener;
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;

@WebListener
public class SessionListener implements HttpSessionListener {

    private MySessionContext myc = MySessionContext.getInstance();

    public void sessionCreated(HttpSessionEvent httpSessionEvent) {
        HttpSession session = httpSessionEvent.getSession();
        myc.addSession(session);
    }

    public void sessionDestroyed(HttpSessionEvent httpSessionEvent) {
        HttpSession session = httpSessionEvent.getSession();
        myc.delSession(session);
    }
}

Finally, you need to modify it and start the class! Add the @Servlet ComponentScan annotation (1)

Get the core code of session concretely

String uri = request.getRequestURI();
String sessionId = uri.split("jsessionid=")[1];
System.out.println(sessionId);
MySessionContext myc= MySessionContext.getInstance();
HttpSession session = myc.getSession(sessionId);
String name = session.getAttribute("name").toString();

This is the end of this article. Thank you for browsing.

Keywords: Session JavaEE SpringBoot Java

Added by daijames on Sun, 04 Aug 2019 11:14:21 +0300