All Java web frameworks support cookies or URL-encoded session IDs. They will chose the correct approach automatically, so there is nothing you need to do. Just request the session object from your container and it will handle the details.

所有 Java Web 框架都支持 cookie 或 URL 编码的会话 ID。他们会自动选择正确的方法，因此您无需执行任何操作。只需从您的容器请求会话对象，它就会处理详细信息。

[EDIT] There are two options: Cookies and a special URL. There are problems with both approaches. For example, if you encode the session in an URL, people can try to pass the session on (by putting the URL into a mail, for example). If you want to understand this, read a couple of articles about security and build app servers. Otherwise: Your Java app server will do the right thing for you. Don't think about it.

[编辑] 有两个选项：Cookie 和特殊 URL。这两种方法都有问题。例如，如果您在 URL 中对会话进行编码，人们可以尝试传递会话（例如，通过将 URL 放入邮件中）。如果您想了解这一点，请阅读几篇有关安全性和构建应用服务器的文章。否则：您的 Java 应用服务器将为您做正确的事情。别想了。

The cookie just stores the session ID, this ID is useless once the session has expired.

cookie 只存储会话 ID，一旦会话过期，这个 ID 就没有用了。

Servlet specificationdefines the API for accessing/setting session data in standard J2EE application. Also it defines that session data is stored on the server-side and nothing is transferred to the client except the session identifier. There are 2 mechanisms how session id is transferred:

Servlet 规范定义了在标准 J2EE 应用程序中访问/设置会话数据的 API。它还定义了会话数据存储在服务器端，除了会话标识符外，没有任何内容传输到客户端。会话 ID 的传输有两种机制：

1) request URL e.g. jessionid=....
2) cookie

1) 请求 URL 例如 jessionid=....
2) cookie

Mechanism is determined automatically based on client capabilities.

机制是根据客户端能力自动确定的。

EDIT. There is no best option, there is servlet specification that defines the way.

编辑。没有最好的选择，有定义方式的 ​​servlet 规范。

2 important questions:

2个重要问题：

1. Which web technology are you using? JSF, Struts, SpringMVC or just plain servlets/JSPs.

   • Servlets/JSPs already give you the session support you need.
     JSP Example: Hello, <%= session.getAttribute( "theName" ) %>

   • I really don't think you have something to worry about cookies, since the data is stored safely in the server and handeling the cookie is done automaticlly.

2. Is your application installed on a single server?

   • If YES than you have no problem, use the servlet session option.

   • if NO than you gotta find another way to do this. Like using a sticky session, or maybe parse the entire session object in the requests/responses as a field. This option indeed requires you to take security measures.

1. 您使用的是哪种网络技术？JSF、Struts、SpringMVC 或只是普通的 servlet/JSP。

   • Servlet/JSP 已经为您提供了所需的会话支持。
     JSP 示例：Hello, <%= session.getAttribute( "theName" ) %>

   • 我真的认为您不必担心 cookie，因为数据安全地存储在服务器中，并且处理 cookie 是自动完成的。

2. 您的应用程序是否安装在单个服务器上？

   • 如果是，那么您没有问题，请使用 servlet 会话选项。

   • 如果不是，那么你必须找到另一种方法来做到这一点。就像使用粘性会话，或者可能将请求/响应中的整个会话对象解析为一个字段。此选项确实需要您采取安全措施。

Http is a stateless, client-side pull only protocol.

Http 是一种无状态的客户端拉取协议。

To implement a stateful conversation over it, Java EE Web Server need to hide some information (which is sessionid) in client-side and the mechanism it can use should follow HTTP and HTML spec.

为了通过它实现有状态的对话，Java EE Web Server 需要在客户端隐藏一些信息（即 sessionid），它可以使用的机制应该遵循 HTTP 和 HTML 规范。

There are three ways to accomplish this goal:

有三种方法可以实现这个目标：

1. URL Rewriting: Server will add an additional parameter at the end of URL link.
2. Hidden parameter in Form: server will add an additional parameter at every form in HTML.
3. cookie: Server will ask browser to maintain a cookie.

1. URL 重写：服务器将在 URL 链接的末尾添加一个附加参数。
2. 表单中的隐藏参数：服务器将在 HTML 中的每个表单中添加一个附加参数。
3. cookie: 服务器会要求浏览器维护一个 cookie。

Basically, modern web server will have a "filter" to choose which way to use automatically.
So if Server detected that browser already turn off cookie support, it will switch to other ways.

基本上，现代 Web 服务器将有一个“过滤器”来自动选择使用哪种方式。
所以如果 Server 检测到浏览器已经关闭了 cookie 支持，它会切换到其他方式。

The session management (client identification, cookie handling, saving session scoped data and so on) is basically already done by the appserver itself. You don't need to worry about it at all. You can just set/get Java objects in the session by HttpSession#setAttribute()and #getAttribute(). Only thing what you really need to take care of is the URL rewritingfor the case that the client doesn't support cookies. It will then append a jsessionididentifier to the URL. In the JSP you can use the JSTL's c:urlfor this. In the Servlet you can use HttpServletResponse#encodeURL()for this. This way the server can identify the client by reading the new request URL.

会话管理（客户端识别、cookie 处理、保存会话范围数据等）基本上已经由应用服务器本身完成。你根本不需要担心它。您可以通过HttpSession#setAttribute()和设置/获取会话中的 Java 对象#getAttribute()。您真正需要处理的唯一事情是客户端不支持 cookie 的情况下的URL 重写。然后它将一个jsessionid标识符附加到 URL。在 JSP 中，您可以c:url为此使用 JSTL 。在 Servlet 中，您可以使用HttpServletResponse#encodeURL()它。这样服务器就可以通过读取新的请求 URL 来识别客户端。

Your new question shall probably be "But how are cookies related to this? How does the server do it all?". Well, the answer is this: if the server receives a request from a client and the server side code (your code) is trying to get the HttpSessionby HttpServletRequest#getSession()while there's no one created yet (first request in a fresh session), the server will create a new one itself. The server will generate a long, unique and hard-to-guess ID (the one which you can get by HttpSession#getId()) and set this ID as a value of the cookie with the name jsessionid. Under the hood the server uses HttpServletResponse#addCookie()for this. Finally the server will store all sessions in some kind of Mapwith the session ID as key and the HttpSessionas value.

您的新问题可能是“但是 cookie 与此有何关联？服务器如何完成这一切？”。那么，答案是这样的：如果服务器收到来自客户端和服务器端代码（代码）的请求试图获得HttpSession通过HttpServletRequest#getSession()，而没有一个创造，但（在一个新的会话时的第一要求），服务器将创建一个新的本身。服务器将生成一个长的、唯一的且难以猜测的 ID（您可以通过HttpSession#getId()该 ID获得）并将此 ID 设置为名称为 的 cookie 的值jsessionid。在引擎盖下，服务器HttpServletResponse#addCookie()用于此目的。最后，服务器将以某种形式存储所有会话，Map以会话 ID 作为键和HttpSession作为值。

According to the HTTP cookie specthe client is required to send the same cookies back in the headers of the subsequent request. Under the hood the server will search for the jsessionidcookie by HttpServletRequest#getCookies()and determine its value. This way the server is able to obtain the associated HttpSessionand give it back by every call on HttpServletRequest#getSession().

根据HTTP cookie 规范，客户端需要在后续请求的标头中发回相同的 cookie。在后台，服务器将搜索jsessionidcookieHttpServletRequest#getCookies()并确定其值。通过这种方式，服务器能够获取关联HttpSession并在每次调用 时将其返回HttpServletRequest#getSession()。

To the point: the only thing which is stored in the client side is the session ID (in flavor of a cookie) and the HttpSessionobject (including all of its attributes) is stored in the server side (in Java's memory). You don't need to worry about session management youself and you also don't need to worry about the security.

重点：唯一存储在客户端的是会话 ID（cookie 的风格），HttpSession对象（包括其所有属性）存储在服务器端（在 Java 的内存中）。您自己无需担心会话管理，也无需担心安全性。

See also:

也可以看看：

• Authenticating the username, password by using filters in Java (contacting with database)
• How to redirect to Login page when Session is expired in Java web application?
• How to implement "Stay Logged In" when user login in to the web application

• 使用Java中的过滤器验证用户名、密码（与数据库联系）
• 当会话在 Java Web 应用程序中过期时如何重定向到登录页面？
• 如何在用户登录 Web 应用程序时实现“保持登录状态”