* Passing session specific data through the application object is not safe.
* Different sessions could override each other.
* When the browser is closed and started again, a new session object is created but the application is still the same.
* Flow:
- When the first request comes from a browser on a new host, the server makes the beginning of a new session, and assigns a new session ID.
- The session ID will be then send to the browser as cookie.
- The browser will remember this ID, and send the ID back to the server in the subsequent requests.
- When the server receives a request with session ID in them, it knows this is a continuation of an existing session.When the server receives a request from a browser on a new host (request without a session ID), the server not only creates a new session ID, it also creates a new session object associated with the session ID.
* If there is no subsequent request coming back for a long time for a particular session ID, that session will be timed out. After the session has been timed out, if the browser comes back again with the associated session ID, the server will give an invalid session error.
Cookie
* Cookie: A small amount of information sent by a Web server to a Web browser, saved by the browser, and sent back to the server later.
* Cookies are transmitted inside the HTTP header.
* If I keep clicking the refresh button, more and more cookies would be added to the request and response. But there is a limit. The browser will only take up to 20 cookies from one Web server.
* Reference
- JSP and JSTL Tutorials - Herong's Tutorial Notes - JSP Sessions and Debugging
- JSP and JSTL Tutorials - Herong's Tutorial Notes - Using Cookies
沒有留言:
張貼留言