简体繁体 English

在 Java web 应用程序中使用会话的主要用例

[英]Top use cases for using Sessions in Java web application

原文 2011-04-30 09:37:31 6 5 java/ session/ spring-mvc

I've been always trying to avoid using Sessions.我一直在努力避免使用 Sessions。 I've used spring security or other ways of having user logged in the application, which is I suppose the major use case for using Sessions.我使用了 spring 安全性或其他让用户登录应用程序的方式，我认为这是使用会话的主要用例。

But what are the other use cases?但是其他用例是什么？ Could you please make a list of those most important ones?你能列出那些最重要的吗？ How come that I've been able to develop even complicated applications without using Sessions?为什么我能够在不使用 Sessions 的情况下开发更复杂的应用程序？

Is it because I'm using spring-mvc and using Sessions is practically not needed except the login stuff?是因为我使用的是 spring-mvc 并且除了登录内容之外实际上不需要使用 Sessions 吗？

EDIT: Guys this question was asking for use cases... Most of the answers explains what are sessions for.编辑：伙计们，这个问题是在询问用例......大多数答案都解释了会话的用途。 If we summarize some usecases, we can say for sure, when to use database or sessions for maintaining conversation state... Don't you remember any concrete scenarios you needed sessions for?如果我们总结一些用例，我们可以肯定地说，何时使用数据库或会话来维护会话 state...您不记得您需要会话的任何具体场景吗？ For past years:)过去几年:)

for instance some conversational state may become persistent after some point / event.例如，某些会话 state 可能在某个点/事件之后变得持久。 In this case I'm using database from the beginning.在这种情况下，我从一开始就使用数据库。

5 个解决方案

I think you can do anything you want without storing anything on a sessions.我认为您可以做任何您想做的事情，而无需在会话中存储任何内容。

I usually use the sessions to avoid having to pass state between the client and server (used id as an example) and when I don't want to send sensitive information to the client (even in encrypted form) as it might be a security problem.我通常使用会话来避免在客户端和服务器之间传递 state（以 id 为例）以及当我不想向客户端发送敏感信息（即使是加密形式）时，因为这可能是一个安全问题.

Other ways of avoiding using the session are:避免使用 session 的其他方法是：

store some state on a database, eg shopping carts, instead of in the session, even if the cart is discarded after a certain amount of time.将一些 state 存储在数据库（例如购物车）中，而不是存储在 session 中，即使购物车在一定时间后被丢弃。
store state in cookies eg for user customization将 state 存储在 cookies 中，例如用于用户定制

One use case when it's really useful to use the session is for conversations , although usually frameworks manage that behind scenes, and store the conversation in the session.使用 session 真正有用的一个用例是用于对话，尽管通常框架在幕后管理它，并将对话存储在 session 中。

edit编辑

Converstions (in my understanding) are something like wizards, in which you complete several forms in different pages and at the end you perform the action.转换（在我的理解中）类似于向导，您可以在其中完成不同页面中的几个 forms，最后执行操作。 eg in a checkout process, the user enters his name, shipping address and credit card details in different pages, but you want to submit the order just at the end, without storing any intermediate state in your DB.例如，在结帐过程中，用户在不同的页面中输入他的姓名、送货地址和信用卡详细信息，但您想在最后提交订单，而不在您的数据库中存储任何中间 state。

By sensitive information I mean, imagine in the previous example, once the user sent his credit card details, you shouldn't return that information in any format (even encrypted) to the user.我的意思是敏感信息，想象在前面的例子中，一旦用户发送了他的信用卡详细信息，你不应该以任何格式（甚至加密）将该信息返回给用户。 I know it's a bit paranoid, but that's security:).我知道这有点偏执，但这就是安全性:)。

In the ecommerce system i'm working on, there is an external system at the back-end which stores users' saved shipping and billing addresses.在我正在开发的电子商务系统中，后端有一个外部系统，用于存储用户保存的送货和账单地址。 Our web app talks to it by making web service calls to retrieve those addresses.我们的 web 应用程序通过调用 web 服务调用来检索这些地址来与之对话。 When we get the addresses, we store them in the session.当我们得到地址时，我们将它们存储在 session 中。 That way, we only have to call the service once, when the user firsts looks at their addresses, and not every time we serve a page which needs address information.这样，当用户第一次查看他们的地址时，我们只需要调用一次服务，而不是每次我们提供需要地址信息的页面时。 We have a time-to-live on the addresses, so if the addresses change (eg if the user telephones the customer service desk to change an address), we will eventually pick up the fresh ones.我们对地址有一个生存时间，所以如果地址发生变化（例如，如果用户致电客户服务台更改地址），我们最终会选择新的。

It would be possible to store the addresses in our database, rather than in the session.可以将地址存储在我们的数据库中，而不是 session 中。 But why would we?但我们为什么要这样做？ It's transient information which is already stored permanently somewhere else.它是暂时的信息，已经永久存储在其他地方。 The session is the ideal place for it. session 是它的理想场所。

Well in one sense your question is deep (what's SPECIAL about a session is worth knowing) and in another sense it's shallow (what can't I do if I don't use them turns out to be a somewhat odd question)好吧，从某种意义上说，您的问题很深（session 有什么特别之处值得了解），而在另一种意义上，它很浅（如果我不使用它们，我不能做什么，结果是一个有点奇怪的问题）

In the end a Session is merely (or could be) a ConcurrentHashMap (in fact it usually isn't that threadsafe) with aa key of unique session id passing as the cookie.最后，Session 只是（或可能是）一个 ConcurrentHashMap（实际上它通常不是线程安全的），带有一个唯一的 session id 作为 cookie 传递的键。 You know why it's useful, but to answer you for use cases你知道它为什么有用，但要回答你的用例

clustering (this is how state gets distributed across nodes)集群（这就是 state 跨节点分布的方式）
caching general state of the user and their objects (as opposed to reloading from db each time)缓存用户及其对象的一般 state （而不是每次从数据库重新加载）
built in methods for sessionlisteners to watch when someone is timed out, or attributes change.当有人超时或属性更改时，会话侦听器的内置方法可以监视。 = used for by a lot of localization utilities = 被许多本地化实用程序使用

Can you do all this with a database or your own hashmap implementation/filter?您可以使用数据库或您自己的 hashmap 实现/过滤器来完成所有这些工作吗？ Of course, there's nothing magical about Sessions.当然，Sessions 并没有什么神奇之处。 They are merely a convenient standard for having some objects follow a logged in user and be tied to the lifetime of that user's use of the application.它们只是让某些对象跟随登录用户并与该用户使用应用程序的生命周期相关联的方便标准。

Why do you use Servlets?为什么要使用 Servlets？ You could also implement your own socket level standard?您还可以实现自己的套接字级别标准吗？ The answer to that is using standard apis/implementations provides convenience and other libraries build upon them.答案是使用标准的 apis/implementations 提供了便利，并且其他库建立在它们之上。

The cons are缺点是

you are reinventing the wheel and some code that has been time tested您正在重新发明轮子和一些经过时间测试的代码
you won't be able to use a lot of built in facilities for monitoring/managing/clustering/localizing etc.您将无法使用大量内置设施进行监控/管理/集群/本地化等。

Sessions are one way of maintaining conversational state across multiple requests (eg multiple stateless HTTP requests.)会话是跨多个请求（例如多个无状态 HTTP 请求）维护会话 state 的一种方式。

There are other ways of implementing conversational state, for example, storing an authentication token or some suitable conversation id as a cookie and maintaining a store of conversation id to session state.还有其他实现会话 state 的方法，例如，将身份验证令牌或某些合适的会话 id 存储为 cookie 并将会话 id 存储到 session Z9ED39E2EA931586B6A985A6942EF7。 (In essence, duplicating what the app server is doing when it provides sessions.) （本质上，复制应用服务器在提供会话时所做的事情。）

That you haven't needed to use sessions means that your application either doesn't need conversational state or you've implemented it in a different way.您不需要使用会话意味着您的应用程序不需要会话 state 或者您已经以不同的方式实现它。 For example, perhaps your application uses an authentication token (say a cookie) and persists all state changes to the database.例如，也许您的应用程序使用身份验证令牌（例如 cookie）并将所有 state 更改保存到数据库。 With that kind of arrangement, there is no need for a conversation state.有了这种安排，就不需要对话 state。

Hi you can take an example of shopping cart because since Http is stateless protocol it does not maintain the status of the user who sends the request.嗨，您可以举一个购物车的例子，因为 Http 是无状态协议，它不会维护发送请求的用户的状态。

For eg If one user sends a request to buy camera from say eBay and after some minutes another user sends a request to buy laptop.例如，如果一个用户从 eBay 发送购买相机的请求，几分钟后另一个用户发送购买笔记本电脑的请求。

But since http is stateless protocol so server is not able to separate the request send by the users and may it happen that the bill of the laptop may be given to first user.但是由于 http 是无状态协议，因此服务器无法分离用户发送的请求，并且可能会发生笔记本电脑的账单可能会给第一个用户。

So through session we can maintain a particular entity over the server side for a particular user.因此，通过 session，我们可以在服务器端为特定用户维护特定实体。