当使用 servlet api(如 JSF 或 JSP 页面)运行 Java Web 应用程序时,会生成一个“唯一”SessionID 来标识用户的会话。
我想知道这些 sessionID 是如何生成的。它们是否包括客户端的 IP?时间戳?随机数?
其次,我想知道这一代发生在哪里?这是否取决于运行应用程序的服务器?
问问题
31844 次
4 回答
8
它是特定于容器的。Tomcat:http: //tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Manager
于 2012-10-11T09:15:16.347 回答
4
java.security.MessageDigest通常使用算法。
通常生成的 ID 只是一组随机数,直到所需的长度,但它会根据各种 servlet 容器中使用的算法而有所不同。
以Tomcat6为例,看看:
ManagerBase.sessionIdLength
和
ManagerBase.createSession() //which calls generateSessionId()
见http://www.docjar.com/html/api/org/apache/catalina/session/ManagerBase.java.html
于 2012-10-11T09:25:45.950 回答
3
“标识符由 servlet 容器分配,并且取决于实现。”
每当创建新会话时都会生成 jsessionid。
于 2012-10-11T09:11:49.903 回答
0
这是您问题的完整代码
创建 login.jsp
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="US-ASCII">
<title>Login Page</title>
<h1>Please login to continue</h1>
</head>
<body>
<form action="LoginServlet" method="post">
User Name: <input type="text" name="username">
<br>
Password: <input type="password" name="pwd">
<br><br>
<input type="submit" value="Login">
</form>
</body>
</html>
创建 LoginServlet
package com.self.sessionid;
import java.io.IOException;
import java.io.PrintWriter;
import java.net.CookieStore;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
@WebServlet("/LoginServlet")
public class LoginServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
private final String username = "admin";
private final String password = "password";
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("username");
String password = request.getParameter("pwd");
System.out.println("%%%%%");
if(this.username.equals(username) && this.password.equals(password)) {
HttpSession oldSession = request.getSession(false);
if(oldSession != null) {
oldSession.invalidate();
}
HttpSession newSession = request.getSession(true);
newSession.setMaxInactiveInterval(1*60);
Cookie message = new Cookie("message", "welcome");
response.addCookie(message);
String messag = null;
String sessionID = null;
Cookie[] cookies = request.getCookies();
if(cookies != null){
for(Cookie cookie : cookies){
if(cookie.getName().equals("message")) messag = cookie.getValue();
if(cookie.getName().equals("JSESSIONID")) sessionID = cookie.getValue();
}
}
System.out.println("message : " + messag);
System.out.println("Session Id : " + sessionID);
/* response.sendRedirect("/loginSuccess.jsp"); */
RequestDispatcher rd = getServletContext().getRequestDispatcher("/loginSuccess.jsp");
rd.include(request, response);
} else {
RequestDispatcher rd = getServletContext().getRequestDispatcher("/login.jsp");
PrintWriter out = response.getWriter();
out.println("<font color=red>Either username or password is wrong.</font>");
rd.include(request, response);
}
}
}
在 WebComponent 中创建 loginSuccess.jsp 文件
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<%-- <%
String message = null;
String sessionID = null;
Cookie[] cookies = request.getCookies();
if(cookies != null){
for(Cookie cookie : cookies){
if(cookie.getName().equals("message")) message = cookie.getValue();
if(cookie.getName().equals("JSESSIONID")) sessionID = cookie.getValue();
}
}
%> --%>
<h3>Login Success</h3>
<%-- <h4><%=message%></h4>
<h4>Session ID = <%=sessionID %></h4>
--%> <br><br>
<h1>Welcome</h1>
<form action="LogoutServlet" method="post">
<input type="submit" value="Logout" >
</form>
</body>
</html>
创建 LogoutServlet
package com.self.sessionid;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
/**
* Servlet implementation class LogoutServlet
*/
@WebServlet("/LogoutServlet")
public class LogoutServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
HttpSession session = request.getSession(false);
if(session != null){
session.invalidate();
}
response.sendRedirect(request.getContextPath() + "/login.jsp");
}
}
于 2019-12-08T08:24:03.700 回答