cookie与sessionID之间的关系实验
上一篇介绍了cookie,这里来看看cookie与sessionID之间有什么关系。
一、编写测试用例代码
新建一个servlet如下:
public class SessionServlet extends HttpServlet { private static final long serialVersionUID = 1L; /** * @see HttpServlet#HttpServlet() */ public SessionServlet() { super(); // TODO Auto-generated constructor stub } /** * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) */ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
System.out.println("----->进入doget方法......"); HttpSession session=request.getSession(); System.out.println("sessionId:---->"+session.getId()); //获得请求中的cookie Cookie[] cs=request.getCookies(); if(cs!=null){//有cookie,并且又指定的cookie System.out.println("cookie长度:"+cs.length); for(Cookie co:cs){ System.out.println(co.getName()+";"+co.getValue()); } }else{ System.out.println("没有cookie"); } Cookie visitCookie=new Cookie("visitCookie","yes"); visitCookie.setMaxAge(60*60);//设置cookie失效时间 response.addCookie(visitCookie); PrintWriter out=response.getWriter(); out.print("<html><body><h1>sessionId:"+session.getId()+"</h1></body></html>"); } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { this.doGet(request, response); } }
二、开始测试
1.使用 火狐浏览器打开连接
第 1 次打开链接,请求头响应头如下:
【响应头】:
| Connection | close |
| Content-Language | zh-CN |
| Content-Length | 318 |
| Content-Type | text/html;charset=ISO-8859-1 |
| Date | Tue, 26 Feb 2019 03:11:49 GMT |
| Set-Cookie | JSESSIONID=1D8268B571F492DDE6DA2A4D5B6BC2E3;path=/;HttpOnly |
【请求头】
| Accept | text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8 |
| Accept-Encoding | gzip, deflate |
| Accept-Language | zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 |
| Connection | keep-alive |
| Host | localhost:8899 |
| Upgrade-Insecure-Requests | 1 |
| User-Agent | Mozilla/5.0 (Windows NT 10.0; …) Gecko/20100101 Firefox/56.0 |
【控制台输出】:
sessionId : 1D8268B571F492DDE6DA2A4D5B6BC2E3
jsessionId:
第 2 次打开连接(刷新页面)
【响应头】
| Content-Length | 89 |
| Content-Type | text/html;charset=UTF-8 |
| Date | Tue, 26 Feb 2019 03:15:02 GMT |
【请求头】
| Accept | text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8 |
| Accept-Encoding | gzip, deflate |
| Accept-Language | zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 |
| Cache-Control | max-age=0 |
| Connection | keep-alive |
| Cookie | JSESSIONID=1D8268B571F492DDE6DA2A4D5B6BC2E3 |
| Host | localhost:8899 |
| Upgrade-Insecure-Requests | 1 |
| User-Agent | Mozilla/5.0 (Windows NT 10.0; …) Gecko/20100101 Firefox/56.0 |
【控制台输出】
sessionId: 1D8268B571F492DDE6DA2A4D5B6BC2E3
jsessionId: 1D8268B571F492DDE6DA2A4D5B6BC2E3
第三次打开连接(再次刷新页面)
于第二次一致
结论:
首次访问时:服务器创建 session,并告诉客户端设置cookie来存储sessionId ,即如下响应头:
| Set-Cookie | JSESSIONID=1D8268B571F492DDE6DA2A4D5B6BC2E3;path=/;HttpOnly |
再次访问时:客户端 携带此 存有此 sessionId (cookie中为jsessionId)的cookie给服务器。【告诉服务器,我就是刚才那个人】
2. 关闭浏览器看看 session 会如何变化
第一次访问, 响应头
| Set-Cookie | JSESSIONID=927B67009E1E4439F8857074B867AF3A;path=/;HttpOnly |
sessionId : 927B67009E1E4439F8857074B867AF3A
jsessionId :
再次刷新:
sessionId: 927B67009E1E4439F8857074B867AF3A
jsessionId: 927B67009E1E4439F8857074B867AF3A
结论: 关闭浏览器之后,重新打开页面,会开启新的session
3.禁用浏览器cookie,访问四次如下:
禁用cookie之后,每次sessionID都不一样
所以,当客户端禁用cookie之后,便不好跟踪用户了。这时可使用response.encodeURL
servlet中response.sendRedirect(response.encodeRedirectURL("2.jsp"));
jsp中:<a href="<%=response.encodeURL("http://localhost:6060/xxx/xxxServlet")%>">111</a>
