Cookie和Session区别文档
cookie是客户端的,session是服务端的。 cookie存储于客户端,记录web服务器的信息,每次上网时都会先查看对应的cookie信息,比如购物时,使用cookie记录购物车信息。 session是记录客户机的信息,SessionID是session的唯一标识,使用session可以记录客户端的请求等。
https://blog.csdn.net/qq_42651904/article/details/85543640
Session的优点及其发送流程
Session是基于Cookie的
因为很多第三方可以获取到这个Cookie,服务器无法判断Cookie是不是真实用户发送的,所以Cookie可以伪造,伪造Cookie实现登录进行一些HTTP请求。如果从安全性上来讲,Session比Cookie安全性稍微高一些,我们先要知道一个概念—SessionID。SessionID是什么?客户端第一次请求服务器的时候,服务器会为客户端创建一个Session,并将通过特殊算法算出一个session的ID,下次请求资源时(Session未过期),浏览器会将sessionID(实质是Cookie)放置到请求头中,服务器接收到请求后就得到该请求的SessionID,服务器找到该id的session返还给请求者使用。
Session 基本使用
案例练习
创建servlet
package com.taotao.web.session;import javax.servlet.ServletException;import javax.servlet.annotation.WebServlet;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import java.io.IOException;/*** create by 刘鸿涛* 2022/4/2 15:06*/@SuppressWarnings({"all"})@WebServlet("/demo1")public class SessionDemo1 extends HttpServlet {@Overrideprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {//存储到Session中//1.获取Session对象HttpSession session = req.getSession();//2.存储数据session.setAttribute("username","liuhongtao");}@Overrideprotected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {this.doGet(req, resp);}}
package com.taotao.web.session;import javax.servlet.ServletException;import javax.servlet.annotation.WebServlet;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import java.io.IOException;/*** create by 刘鸿涛* 2022/4/2 15:06*/@SuppressWarnings({"all"})@WebServlet("/demo2")public class SessionDemo2 extends HttpServlet {@Overrideprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {//获取数据,从session中//1.获取session对象HttpSession session = req.getSession();//2.获取数据Object username = session.getAttribute("username");System.out.println(username);}@Overrideprotected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {this.doGet(req, resp);}}
测试运行
Session原理
案例演示
更改servlet,输出session地址值
package com.taotao.web.session;import javax.servlet.ServletException;import javax.servlet.annotation.WebServlet;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import java.io.IOException;/*** create by 刘鸿涛* 2022/4/2 15:06*/@SuppressWarnings({"all"})@WebServlet("/demo1")public class SessionDemo1 extends HttpServlet {@Overrideprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {//存储到Session中//1.获取Session对象HttpSession session = req.getSession();System.out.println(session);//2.存储数据session.setAttribute("username","liuhongtao");}@Overrideprotected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {this.doGet(req, resp);}}
package com.taotao.web.session;import javax.servlet.ServletException;import javax.servlet.annotation.WebServlet;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import java.io.IOException;/*** create by 刘鸿涛* 2022/4/2 15:06*/@SuppressWarnings({"all"})@WebServlet("/demo2")public class SessionDemo2 extends HttpServlet {@Overrideprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {//获取数据,从session中//1.获取session对象HttpSession session = req.getSession();System.out.println(session);//2.获取数据Object username = session.getAttribute("username");System.out.println(username);}@Overrideprotected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {this.doGet(req, resp);}}
测试运行
:::info
先访问demo1,再访问demo2
:::
:::info
结论:session地址值完全一样
:::
主要JESSIONID
Session使用细节
Session钝化、活化
安全运行
访问demo1后关闭服务器
安全停止
再次安全运行
访问demo2
Session销毁:
演示更改Session销毁时间
更改web.xml文件
<!DOCTYPE web-app PUBLIC"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN""http://java.sun.com/dtd/web-app_2_3.dtd" ><web-app><session-config><session-timeout><!-- 默认30分钟,这里配置了100分钟后销毁-->100</session-timeout></session-config></web-app>
演示直接销毁Session
更改sevletdemo2
package com.taotao.web.session;import javax.servlet.ServletException;import javax.servlet.annotation.WebServlet;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import java.io.IOException;/*** create by 刘鸿涛* 2022/4/2 15:06*/@SuppressWarnings({"all"})@WebServlet("/demo2")public class SessionDemo2 extends HttpServlet {@Overrideprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {//获取数据,从session中//1.获取session对象HttpSession session = req.getSession();System.out.println(session);//销毁session.invalidate();//2.获取数据Object username = session.getAttribute("username");System.out.println(username);}@Overrideprotected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {this.doGet(req, resp);}}
测试运行
会话跟踪技术小结
cookie和session的区别
若有收获,就点个赞吧
0 人点赞
