Where are the Java HttpSession attributes stored?

痴心易碎 提交于 2020-01-12 04:16:11

问题


Are the objects serialized and sent to the user and back on each connection (stored in cookies) ?

Or are they stored in the server heap and the cookie is only a very small identifier ?

Any information about this topic would be helpful.

Thank you


回答1:


You got it on the second guess.

The cookie contains a JSESSIONID. That id is used to look up the user's HttpSession in a map that the server maintains. At least this is the most common way. There are more intricate ways that the server can implement this, but shuttling the entire state back an forth in a cookie isn't one of them.

This has some implications. First, if the server goes down, you lose session state. Second, if you have a server cluster, you need to get the user connected to the same server each time, or they will lose their session between subsequent requests. Lastly, session hijacking becomes a possibility if someone finds a way to copy someone else's JSESSIONID and replace theirs with it.




回答2:


The cookie just contains a session identifier (typically called JSESSIONID). The server maps this identifier to whatever data is currently stored in the user's session.

The data itself may be stored in memory, or it may be serialized to database or to file depending upon what server you are using and its configuration.



来源:https://stackoverflow.com/questions/5838179/where-are-the-java-httpsession-attributes-stored

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!