JSESSIONIDis a low-level mechanism that you typically shouldn't care about. On the server side the servlet container transparently translates JSESSIONIDto an HttpSessionobject available in the servlet. The session id is passed to the server transparently as well using Cookieheader or URL rewriting.

JSESSIONID是一种您通常不应该关心的低级机制。在服务器端，servlet 容器透明地转换JSESSIONID为servlet 中HttpSession可用的对象。会话 id 也使用Cookie标头或 URL 重写透明地传递给服务器。

So if you are clicking on a link or posting an ordinary form in a webpage, the browser automatically passes JSESSIONIDcookie or attaches it to URL.

因此，如果您在网页中单击链接或发布普通表单，浏览器会自动传递JSESSIONIDcookie 或将其附加到 URL。

Your design has a major flaw: secure servlet containers should add HttpOnlyattribute to JSESSIONIDcookie (see: How do you configure HttpOnly cookies in tomcat / java webapps?) This is to prevent JavaScript from reading JSESSIONIDcookie for security reasons - like hiHymaning user session. Your applet might not even see that cookie!

您的设计有一个主要缺陷：安全的 servlet 容器应该HttpOnly向JSESSIONIDcookie添加属性（请参阅：如何在 tomcat/java webapps 中配置 HttpOnly cookie？）这是为了防止 JavaScriptJSESSIONID出于安全原因读取cookie - 比如劫持用户会话。您的小程序甚至可能看不到那个 cookie！

I don't know much about applets, but I would advice you to perform HTTP request via web browser somehow so the security identification (cookie) is handled automatically.

我对applet了解不多，但我建议您以某种方式通过 Web 浏览器执行 HTTP 请求，以便自动处理安全标识 (cookie)。

The Java EE container will do most of the work for you. There are a couple of short-cuts you can take depending on with authentication method you use and the details of how the container behaves. I'll ignore those short-cuts for now. I am assuming that the user provides their information to the web application in some form - for example by logging in.

Java EE 容器将为您完成大部分工作。根据您使用的身份验证方法和容器行为的详细信息，您可以采取一些捷径。我现在将忽略这些捷径。我假设用户以某种形式向 Web 应用程序提供他们的信息 - 例如通过登录。

When the user logs in, create a session (if one doe snot already exist) and add their user name (and any other details you like) to the session as session attributes.

当用户登录时，创建一个会话（如果已经存在）并将他们的用户名（以及您喜欢的任何其他详细信息）作为会话属性添加到会话中。

When a request comes in that already has a session, just retrieve the user details from the session. The container takes care of mapping the session ID in the request to the right session object and making that available to the request.

当一个已经有会话的请求进来时，只需从会话中检索用户详细信息。容器负责将请求中的会话 ID 映射到正确的会话对象并使其可用于请求。

If the session ID is invalid, the container will not associate a session object to the request.

如果会话 ID 无效，容器将不会将会话对象与请求关联。

One final thing to watch out for is HttpOnly cookies. Containers should be using these by default for session IDs (to protect against XSS attacks). For the session ID to be available to the applet you'll need to disable the HttpOnly protection for the session cookies. This means that if you application has an XSS vulnerability it will be easy for an attacker to steal user session cookies.

最后要注意的一件事是 HttpOnly cookie。默认情况下，容器应该将这些用于会话 ID（以防止 XSS 攻击）。要使小程序可以使用会话 ID，您需要禁用会话 cookie 的 HttpOnly 保护。这意味着如果您的应用程序存在 XSS 漏洞，攻击者很容易窃取用户会话 cookie。