java 检查有效会话:isRequestedSessionIdValid() vs getSession(false)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14243455/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Check for valid session: isRequestedSessionIdValid() vs getSession(false)
提问by Terry
I'm developing Java Servlets. At the point of checking whether a user is logged in, I want to check if the HTTP request has a valid session. For checking that, I have 2 possibilities:
我正在开发 Java Servlet。在检查用户是否登录时,我想检查 HTTP 请求是否具有有效会话。为了检查这一点,我有两种可能性:
(1)
(1)
protected void processRequest(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
HttpSession session = request.getSession(false);
if (session != null) {
// user is logged in
...
}
}
Since I pass false as an argument, there is no new session created if there is no valid session existing already, and the function returns null, for what I can check.
由于我将 false 作为参数传递,因此如果已经不存在有效会话,则不会创建新会话,并且该函数返回 null,以便我可以检查。
Or I do:
或者我这样做:
(2)
(2)
if (request.isRequestedSessionIdValid()) {
// user is logged in
...
}
Is there any difference, any advantage/disadvantage? Or do both functions do more or less the same?
有什么区别,有什么优点/缺点吗?或者这两个功能或多或少是一样的?
回答by Subin Sebastian
Form Javadoc
形成 Javadoc
isRequestedSessionIdValid boolean isRequestedSessionIdValid() Checks whether the requested session ID is still valid. If the client did not specify any session ID, this method returns false.
Returns: true if this request has an id for a valid session in the current session context; false otherwise
isRequestedSessionIdValid boolean isRequestedSessionIdValid() 检查请求的会话 ID 是否仍然有效。如果客户端未指定任何会话 ID,则此方法返回 false。
返回: 如果此请求在当前会话上下文中具有有效会话的 ID,则返回 true;否则为假
So in sense both are same. But what you need to be aware of is request.getSession(false) will be null only in case of first request to the container. After the first request container creates a session and sends Jsessionid cookie along with response , so that it can track subsequent requests from the same browser. So in your case instead of checking if session is null or not, you should store a session attribute "is_logged_in"=true and check for this attribute as well if session is not null.
所以在某种意义上两者是一样的。但是您需要注意的是 request.getSession(false) 只有在第一次向容器请求的情况下才会为空。在第一个请求容器创建会话并将 Jsessionid cookie 与 response 一起发送后,以便它可以跟踪来自同一浏览器的后续请求。所以在你的情况下,而不是检查 session 是否为空,你应该存储一个 session 属性 "is_logged_in"=true 并检查这个属性,如果 session 不为空。
回答by Justin87
Based on the wording of the JavaDoc, it seems like there would be a distinction: if a valid session has already been created (from a prior call to request.getSession(true)), then the requested session ID will not be valid, but request.getSession(false)will have a valid (non-null) session to return. I haven't tested this theory.
根据 JavaDoc 的措辞,似乎会有一个区别:如果已经创建了一个有效的会话(从先前调用request.getSession(true)),那么请求的会话 ID 将无效,但request.getSession(false)将具有有效的(非-null) 要返回的会话。我还没有测试过这个理论。
