Cookies与Session的总结

最近对session和cookie有点迷糊，看了马士兵关于session和cookie的视频，记录总结一下。

常用的会话跟踪技术是Cookie与Session，区别是Cookie存储在客户端，而Session存储在服务器端来确定用户身份。
1、 Cookie

Cookie为一小段文本信息，当客户端浏览器访问服务器时，服务器向客户端写入一个Cookie。客户端把Cookie保存起来。下一次再访问服务器时，客户端浏览器把请求的网址连同该Cookie一同提交给服务器，服务器验证该Cookie，就能辨别该用户。

作如下试验：

<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"     xmlns="http://java.sun.com/xml/ns/javaee"     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">  <display-name>Cookies_Session</display-name>  <servlet>    <servlet-name>SetCookies</servlet-name>    <servlet-class>com.test.cookies.SetCookies</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>SetCookies</servlet-name>    <url-pattern>/servlet/SetCookies</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>ShowCookies</servlet-name>    <servlet-class>com.test.cookies.ShowCookies</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>ShowCookies</servlet-name>    <url-pattern>/servlet/ShowCookies</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>SessionInfoServlet</servlet-name>    <servlet-class>com.test.session.SessionInfoServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>SessionInfoServlet</servlet-name>    <url-pattern>/servlet/SessionInfoServlet</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>ShowSession</servlet-name>    <servlet-class>com.test.session.ShowSession</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>ShowSession</servlet-name>    <url-pattern>/servlet/ShowSession</url-pattern>  </servlet-mapping></web-app>

package com.test.cookies;import java.io.IOException;import java.io.PrintWriter;import javax.servlet.ServletException;import javax.servlet.annotation.WebServlet;import javax.servlet.http.Cookie;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;/** * Servlet implementation class SetCookes */@WebServlet("/SetCookes")public class SetCookies extends HttpServlet {    private static final long serialVersionUID = 1L;    public SetCookies() {        super();    }    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {        for(int i = 0; i < 3; i++) {            // 3个没有设置时间的Cookie，属于本窗口及其子窗口(存在内存)            Cookie cookie = new Cookie("Session-Cookie-" + i, "Cookie-Value-S" + i);            response.addCookie(cookie);            // 以下3个Cookie设置了时间（1小时），属于文本，别的窗口也可以访问到这些Cookie(存在硬盘)            cookie = new Cookie("Persistent-Cookie-" + i, "Cookie-Value-P" + i);            cookie.setMaxAge(3600);            response.addCookie(cookie);        }        response.setContentType("text/html;charset=gb2312");        PrintWriter out = response.getWriter();        String title = "Setting Cookies";        out.println("<html><head><title>设置Cookie</title></head>"                + "<body>" + title + "<br>"                + "There are six cookies associates with this page.<br>"                + "to see them,visit the <a href=\"ShowCookies\">/n"                + "<code>ShowCookies</code> servlet</a>"                + "</body></html>");    }    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {        this.doGet(request, response);    }}

试验：
访问http://localhost:8080/Cookies_Session/servlet/SetCookies，设置cookie数据到客户端。
我们在我们本机下能看到我们设置的cookie.

里面记录信息如下：
Persistent-Cookie-0
Cookie-Value-P0
localhost/Cookies_Session/servlet/
1536
2965479296
30602999
1329089495
30602991
*
Persistent-Cookie-1
Cookie-Value-P1
localhost/Cookies_Session/servlet/
1536
2965479296
30602999
1329159499
30602991
*
Persistent-Cookie-2
Cookie-Value-P2
localhost/Cookies_Session/servlet/
1536
2965479296
30602999
1329219503
30602991
*

通过代码显示设置的cookies

package com.test.cookies;import java.io.IOException;import java.io.PrintWriter;import javax.servlet.ServletException;import javax.servlet.annotation.WebServlet;import javax.servlet.http.Cookie;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;public class ShowCookies extends HttpServlet {    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {        response.setContentType("text/html;charset=UTF-8");        PrintWriter pw = response.getWriter();        pw.println("<html><head><title></title></head>"                 + "<table border=1 align=center>"                + "<TH>Cookie Name<TH>Cookie Value" + "<br>");        // 读取客户端的所有Cookie        Cookie[] cookies = request.getCookies();        if(cookies != null) {            Cookie cookie=null;            for(int i = 0; i < cookies.length; i++) {                cookie = cookies[i];                pw.println("<tr>" + "<td>" + cookie.getName() +"</td>"                        + "<td>" + cookie.getValue() +"</td></tr>");            }        }        pw.println("</table><body><html>");    }}

如果将浏览器关闭，从新打开一个浏览器访问ShowCookies接口，如下：

这是因为SetCookies接口中，有三个cookies是设置了失效时间，这个三个cookie是存储在客户端硬盘上的，而另外三个cookie是没有设置失效时间，这三个cookie属于本窗口和其子窗口，存储在内存中的。

2.session

Session是记录在服务器端的，如果浏览器允许Cookie写入，创建Session的时候把SessionID保存在Cookie里。
如果设置不允许，可以通过URL重写的方式实现Session的记录。

package com.test.session;import java.io.IOException;import java.io.PrintWriter;import java.util.Date;import javax.servlet.ServletException;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;public class SessionInfoServlet extends HttpServlet {    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {        // Returns the current session associated with this request, or if the request does not have a session, creates one.         HttpSession mySession = request.getSession(true);        response.setContentType("text/html");        PrintWriter out = response.getWriter();        String title = "Session Info Servlet";        out.println("<html>");        out.println("<head>");        out.println("<title>Session Info Servlet</title>");        out.println("</head>");        out.println("<body>");        out.println("<h3>Session Infomation</h3>");        // Returns true if the client does not yet know about the session or if the client chooses not to join the session.         out.println("New Session:" + mySession.isNew() + "<br>");        // Returns a string containing the unique identifier assigned to this session.        out.println("Session Id:" + mySession.getId() + "<br>");        // Returns the time when this session was created, measured in milliseconds since midnight January 1, 1970 GMT.         out.println("Session Create Time:" + new Date(mySession.getCreationTime()) + "<br>");        out.println("Session Last Access Time:" + new Date(mySession.getLastAccessedTime()) + "<br>");        out.println("<h3>Request Infomation</h3>");        // Returns the session ID specified by the client.        out.println("Session Id From Request:" + request.getRequestedSessionId() + "<br>");        // Checks whether the requested session ID came in as a cookie.         out.println("Session Id Via Cookie:" + request.isRequestedSessionIdFromCookie() + "<br>");        // Checks whether the requested session ID came in as part of the request URL.         out.println("Session Id Via URL:" + request.isRequestedSessionIdFromURL() + "<br>");        // Checks whether the requested session ID is still valid.         out.println("Valid Session Id:" + request.isRequestedSessionIdValid() + "<br>");        out.println("<a href=" + response.encodeURL("SessionInfoServlet") + ">refresh</a>");        out.println("</body></html>");        out.close();    }}

首先我们设置浏览器允许cookie的写入：

第一次访问http://localhost:8080/Cookies_Session/servlet/SessionInfoServlet

第一次访问时，是一个新的session,
此时我们访问http://localhost:8080/Cookies_Session/servlet/ShowCookies

可以发现，cookies里存储我们上面设置的session,这说明，Session是通过把sessionid保存在cookies里实现的。

我们再次访问http://localhost:8080/Cookies_Session/servlet/ShowCookies。

可以清晰的看到Sessionid并没有变化，且是通过cookies设置的。

我们设置流量器不支持cookies的情况（实验用的ie浏览器，其他的浏览器自行设置）。

多次访问http://localhost:8080/Cookies_Session/servlet/ShowCookies时，可以发现sessionid是变化的，说明禁用cookie后，是没法保存session会话的。

针对这种情况，可以通过URL重写来解决。

在代码中设置了refresh的链接，这个链接是通过encodeUrl（）实现的，点击referesh链接。

URL重写是将session的sessionid拼接到url上，达到记录客户会话。

下面这个实验，可以很好的说明session的机制，如果浏览器没有禁用cookies，多次访问这个url后，会记录这个用户的访问次数，如果浏览器禁用了cookies，每次都是访问都生成一个新的session，相当于一个新用户，访问次数为0.

package com.test.session;import java.io.IOException;import java.io.PrintWriter;import java.util.Date;import javax.servlet.ServletException;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;/** * Session追踪 * 如果浏览器支持Cookie，创建Session的时候会把SessionId保存在Cookie中 * 否则必须自己编程使用URL重写的方式实现Session：response.encodeURL() * */public class ShowSession extends HttpServlet {    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {        response.setContentType("text/html;charset=utf-8");        PrintWriter out = response.getWriter();        String str = "Session Tracking Example";        String heading;        // 如果会话已经存在，则返回一个HttpSession；否则创建一个新的        HttpSession session = request.getSession(true);        // 从当前session中读取属性accessCount的值        Integer accessCount = (Integer)session.getAttribute("accessCount");        if(accessCount == null) {            accessCount = new Integer(0);            heading = "Welcome new user";        } else {            heading = "Welcome Back!";            accessCount = new Integer(accessCount.intValue() + 1);        }        session.setAttribute("accessCount", accessCount);        out.println("<html><head><title>Session追踪</title></head>"                + "<body>" + heading + "<br>"                + "<h2>Information on Your Session</h2><br>"                + "" + "<table border=1 align=center>"                + "<TH>Info Type<TH>Value" + "<br>"                + "<tr>" + "<td>ID</td>"                + "<td>" + session.getId() +"</td></tr>"                + "<tr>" + "<td>CreatTime</td>"                + "<td>" + new Date(session.getCreationTime()) +"</td></tr>"                + "<tr>" + "<td>LastAccessTime</td>"                + "<td>" + new Date(session.getLastAccessedTime()) +"</td></tr>"                + "<tr>" + "<td>Number of Access</td>"                + "<td>" + accessCount +"</td></tr>"                + "</body></html>");    }}