我想知道什么时候确切地 HttpSession 会过期(与销毁不一样)?
我想弄清楚 session.getLastAccessedTime() + (session.getMaxInactiveInterval() * 1000) 是否会在每次带有相同 session ID 的请求时给我准确的 session 到期时间(以毫秒为单位)!
来自javadocs:
long getLastAccessedTime()
Returns the last time the client sent a request associated with this session, as the number of milliseconds since midnight January 1, 1970 GMT, and marked by the time the container received the request.int getMaxInactiveInterval()
Returns the maximum time interval, in seconds, that the servlet container will keep this session open between client accesses.
假设我们有以下内容:
Treq1 - 容器收到第一个请求的时间 (HttpSession.lastAccessedTime)
Tresp1 - 容器发送第一个响应的时间
Preq1 - Treq1 和 Tresp1 之间的时间段(服务器处理第一个请求的时间段)
Treq2 - 容器收到第二个请求的时间 (HttpSession.lastAccessedTime)
Preq1req2 - Treq1 和 Treq2 之间的时间段(请求进入容器的时间间隔)
Presp1req2 - Tresp1 和 Treq2 之间的时间段(第一个响应退出容器和第二个请求进入容器之间的时间)
那么现在,服务器何时将 session 计算为过期? 何时:
1. Treq1 + maxInactiveInterval < Treq1 + Preq1req2 => maxInactiveInterval < Preq1req2
2. Tresp1 + maxInactiveInterval < Tresp1 + Presp1req2 => maxInactiveInterval < Presp1req2
这部分,servlet 容器将在客户端访问之间保持此 session 打开 有点令人困惑。是指请求进入容器之间,还是响应退出和请求进入之间?
旁注,我知道 session 可能不会在确切的到期时间销毁,但我不知道还不知道它是否在容器中发生任何请求处理逻辑之前被销毁。我指的是持有过期 session ID 的请求。
亲切的问候,
暴君
最佳答案
session 机制是Servlet specification的一部分,它要求:
In the HTTP protocol, there is no explicit termination signal when a client is no longer active. This means that the only mechanism that can be used to indicate when a client is no longer active is a time out period.
The default time out period for sessions is defined by the servlet container and can be obtained via the getMaxInactiveInterval method of the HttpSession interface. This time out can be changed by the Developer using the setMaxInactiveInterval method of the HttpSession interface. The time out periods used by these methods are defined in seconds. By definition, if the time out period for a session is set to -1, the session will never expire. The session invalidation will not take effect until all servlets using that session have exited the service method. Once the session invalidation is initiated, a new request must not be able to see that session.
The getLastAccessedTime method of the HttpSession interface allows a servlet to determine the last time the session was accessed before the current request. The session is considered to be accessed when a request that is part of the session is first handled by the servlet container.
假设“非 Activity 间隔”以“lastAccessedTime”开始可能是安全的。
关于java - HttpSession 到底什么时候过期(开始有资格销毁 - 不一定销毁)?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/14154696/