最近被session搞的头大了,
sessionId是在服务端分配的,如果第一次在servlet中调用getSession这个方法,则会首先检查sessionid是否存在,如果不存在,则分配一个?我看了tomcat的源码,没太看懂。在请求的时候tomcat显示检查url中和从cookie中是不是有jsessionid这个字段,如果有,就用这个id去内存中查找对应的session,如果我之前访问过,已经分配了一个sessionid了,但是我很长时间没访问导致session过期了,这时候我请求的时候,浏览器还是带着我这个sessionid发到服务端,服务端从cookie中检查到了sessionid,然后那这个id去查找对应的session,这时候应该找不到对应的session吧?这时候是怎样处理呢? if (connector.getEmptySessionPath()
&& isRequestedSessionIdFromCookie()) {
session = manager.createSession(getRequestedSessionId());
} else {
session = manager.createSession(null);
}
这是doGetSession的一部分源码,执行都这一步的时候requestedSessionId已经是null了,或者根据sessionid没有取到对应的session了,为什么新建的时候会有isRequestedSessionIdFromCookie()这一句呢?这一句话不是判断是不是请求的sessionid来自cookie吗?这时候如果是session过期,那么sessionid是来自cookie了,则isRequestedSessionIdFromCookie()就是true了?下面的createSession(getRequestedSessionId)就是根据当前的sessionid新建session了?也就是说这个sessionid虽然过期了,但是又继续用了???求高手指点啊,我哪里错了啊
以下是doGetSession的源码:
protected Session doGetSession(boolean create) { // There cannot be a session if no context has been assigned yet
if (context == null)
return (null); // Return the current session if it exists and is valid
if ((session != null) && !session.isValid())
session = null;
if (session != null)
return (session); // Return the requested session if it exists and is valid
Manager manager = null;
if (context != null)
manager = context.getManager();
if (manager == null)
return (null); // Sessions are not supported
if (requestedSessionId != null) {
try {
session = manager.findSession(requestedSessionId);
} catch (IOException e) {
session = null;
}
if ((session != null) && !session.isValid())
session = null;
if (session != null) {
session.access();
return (session);
}
} // Create a new session if requested and the response is not committed
if (!create)
return (null);
if ((context != null) && (response != null) &&
context.getCookies() &&
response.getResponse().isCommitted()) {
throw new IllegalStateException
(sm.getString("coyoteRequest.sessionCreateCommitted"));
} // Attempt to reuse session id if one was submitted in a cookie
// Do not reuse the session id if it is from a URL, to prevent possible
// phishing attacks
if (connector.getEmptySessionPath()
&& isRequestedSessionIdFromCookie()) {
session = manager.createSession(getRequestedSessionId());
} else {
session = manager.createSession(null);
} // Creating a new session cookie based on that session
if ((session != null) && (getContext() != null)
&& getContext().getCookies()) {
String scName = context.getSessionCookieName();
if (scName == null) {
scName = Globals.SESSION_COOKIE_NAME;
}
Cookie cookie = new Cookie(scName, session.getIdInternal());
configureSessionCookie(cookie);
response.addSessionCookieInternal(cookie, context.getUseHttpOnly());
} if (session != null) {
session.access();
return (session);
} else {
return (null);
} }
sessionId是在服务端分配的,如果第一次在servlet中调用getSession这个方法,则会首先检查sessionid是否存在,如果不存在,则分配一个?我看了tomcat的源码,没太看懂。在请求的时候tomcat显示检查url中和从cookie中是不是有jsessionid这个字段,如果有,就用这个id去内存中查找对应的session,如果我之前访问过,已经分配了一个sessionid了,但是我很长时间没访问导致session过期了,这时候我请求的时候,浏览器还是带着我这个sessionid发到服务端,服务端从cookie中检查到了sessionid,然后那这个id去查找对应的session,这时候应该找不到对应的session吧?这时候是怎样处理呢? if (connector.getEmptySessionPath()
&& isRequestedSessionIdFromCookie()) {
session = manager.createSession(getRequestedSessionId());
} else {
session = manager.createSession(null);
}
这是doGetSession的一部分源码,执行都这一步的时候requestedSessionId已经是null了,或者根据sessionid没有取到对应的session了,为什么新建的时候会有isRequestedSessionIdFromCookie()这一句呢?这一句话不是判断是不是请求的sessionid来自cookie吗?这时候如果是session过期,那么sessionid是来自cookie了,则isRequestedSessionIdFromCookie()就是true了?下面的createSession(getRequestedSessionId)就是根据当前的sessionid新建session了?也就是说这个sessionid虽然过期了,但是又继续用了???求高手指点啊,我哪里错了啊
以下是doGetSession的源码:
protected Session doGetSession(boolean create) { // There cannot be a session if no context has been assigned yet
if (context == null)
return (null); // Return the current session if it exists and is valid
if ((session != null) && !session.isValid())
session = null;
if (session != null)
return (session); // Return the requested session if it exists and is valid
Manager manager = null;
if (context != null)
manager = context.getManager();
if (manager == null)
return (null); // Sessions are not supported
if (requestedSessionId != null) {
try {
session = manager.findSession(requestedSessionId);
} catch (IOException e) {
session = null;
}
if ((session != null) && !session.isValid())
session = null;
if (session != null) {
session.access();
return (session);
}
} // Create a new session if requested and the response is not committed
if (!create)
return (null);
if ((context != null) && (response != null) &&
context.getCookies() &&
response.getResponse().isCommitted()) {
throw new IllegalStateException
(sm.getString("coyoteRequest.sessionCreateCommitted"));
} // Attempt to reuse session id if one was submitted in a cookie
// Do not reuse the session id if it is from a URL, to prevent possible
// phishing attacks
if (connector.getEmptySessionPath()
&& isRequestedSessionIdFromCookie()) {
session = manager.createSession(getRequestedSessionId());
} else {
session = manager.createSession(null);
} // Creating a new session cookie based on that session
if ((session != null) && (getContext() != null)
&& getContext().getCookies()) {
String scName = context.getSessionCookieName();
if (scName == null) {
scName = Globals.SESSION_COOKIE_NAME;
}
Cookie cookie = new Cookie(scName, session.getIdInternal());
configureSessionCookie(cookie);
response.addSessionCookieInternal(cookie, context.getUseHttpOnly());
} if (session != null) {
session.access();
return (session);
} else {
return (null);
} }
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货