Java JSESSIONID 是在什么条件下创建的?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/595872/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Under what conditions is a JSESSIONID created?
提问by joshjdevl
When / what are the conditions when a JSESSIONIDis created?
JSESSIONID创建a 的时间/条件是什么?
Is it per a domain? For instance, if I have a Tomcat app server, and I deploy multiple web applications, will a different JSESSIONIDbe created per context (web application), or is it shared across web applications as long as they are the same domain?
是按域吗?例如,如果我有一个 Tomcat 应用程序服务器,并且我部署了多个 Web 应用程序,是否会为JSESSIONID每个上下文(Web 应用程序)创建一个不同的应用程序,或者它是否在 Web 应用程序之间共享,只要它们是同一个域?
采纳答案by Peter ?tibrany
JSESSIONID cookie is created/sent when session is created. Session is created when your code calls request.getSession()or request.getSession(true)for the first time. If you just want to get the session, but not create it if it doesn't exist, use request.getSession(false)-- this will return you a session or null. In this case, new session is not created, and JSESSIONID cookie is not sent. (This also means that session isn't necessarily created on first request... you and your code are in control whenthe session is created)
创建会话时创建/发送 JSESSIONID cookie。会话是在您的代码调用request.getSession()或request.getSession(true)第一次调用时创建的。如果您只想获取会话,但如果它不存在则不创建它,请使用request.getSession(false)-- 这将返回一个会话或null. 在这种情况下,不会创建新会话,也不会发送 JSESSIONID cookie。(这也意味着,会话不会在第一次请求必然产生......你和你的代码是在控制,当创建会话)
Sessions are per-context:
会话是基于上下文的:
SRV.7.3 Session Scope
HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container.
SRV.7.3 会话范围
HttpSession 对象的范围必须在应用程序(或 servlet 上下文)级别。底层机制,例如用于建立会话的 cookie,对于不同的上下文可以是相同的,但引用的对象,包括该对象中的属性,绝不能由容器在上下文之间共享。
Update: Every call to JSP page implicitly creates a new session if there is no session yet. This can be turned off with the session='false'page directive, in which case session variable is not available on JSP page at all.
更新:如果还没有会话,每次调用 JSP 页面都会隐式地创建一个新会话。这可以用session='false'page 指令关闭,在这种情况下,会话变量在 JSP 页面上根本不可用。
回答by Mo.
CORRECTION: Please vote for Peter ?tibrany's answer - it is more correct and complete!
更正:请投票给 Peter ?tibrany 的答案——它更正确、更完整!
A "JSESSIONID" is the unique id of the http session - see the javadoc here. There, you'll find the following sentence
“JSESSIONID”是 http 会话的唯一 ID -请参阅此处的 javadoc。在那里,您会找到以下句子
Session information is scoped only to the current web application (ServletContext), so information stored in one context will not be directly visible in another.
会话信息仅适用于当前的 Web 应用程序 (ServletContext),因此存储在一个上下文中的信息在另一个上下文中不会直接可见。
So when you first hit a site, a new session is created and bound to the SevletContext. If you deploy multiple applications, the session is not shared.
因此,当您第一次访问站点时,会创建一个新会话并将其绑定到 SevletContext。如果部署多个应用程序,则不会共享会话。
You can also invalidate the current session and therefore create a new one. e.g. when switching from http to https (after login), it is a very good idea, to create a new session.
您还可以使当前会话无效,从而创建一个新会话。例如,当从 http 切换到 https(登录后)时,创建一个新会话是一个非常好的主意。
Hope, this answers your question.
希望,这回答了你的问题。
回答by Rangachari Anand
Here is some information about one more source of the JSESSIONIDcookie:
以下是有关JSESSIONIDcookie 的另一个来源的一些信息:
I was just debugging some Java code that runs on a tomcat server. I was not calling request.getSession()explicitly anywhere in my code but I noticed that a JSESSIONIDcookie was still being set.
我只是在调试一些在 tomcat 服务器上运行的 Java 代码。我没有request.getSession()在代码中的任何地方显式调用,但我注意到JSESSIONID仍在设置 cookie。
I finally took a look at the generated Java code corresponding to a JSP in the work directory under Tomcat.
终于在Tomcat下的工作目录中查看了生成的Java代码对应的一个JSP。
It appears that, whether you like it or not, if you invoke a JSP from a servlet, JSESSIONIDwill get created!
看来,无论您喜欢与否,如果您从 servlet 调用 JSP,JSESSIONID就会创建!
Added: I just found that by adding the following JSP directive:
补充:我刚刚发现通过添加以下 JSP 指令:
<%@ page session="false" %>
you can disable the setting of JSESSIONIDby a JSP.
您可以JSESSIONID通过 JSP禁用 的设置。
回答by Jerome Jaglale
For links generated in a JSP with custom tags, I had to use
对于在带有自定义标签的 JSP 中生成的链接,我必须使用
<%@ page session="false" %>
in the JSP
在 JSP 中
AND
和
request.getSession().invalidate();
in the Struts action
在 Struts 动作中
回答by polaretto
Beware if your page is including other .jsp or .jspf (fragment)! If you don't set
请注意您的页面是否包含其他 .jsp 或 .jspf(片段)!如果你没有设置
<%@ page session="false" %>
on them as well, the parent page will end up starting a new session and setting the JSESSIONID cookie.
在它们上,父页面最终将启动一个新会话并设置 JSESSIONID cookie。
For .jspf pages in particular, this happens if you configured your web.xml with such a snippet:
特别是对于 .jspf 页面,如果您使用这样的代码段配置了 web.xml,就会发生这种情况:
<jsp-config>
<jsp-property-group>
<url-pattern>*.jspf</url-pattern>
</jsp-property-group>
</jsp-config>
in order to enable scriptlets inside them.
为了在其中启用小脚本。
