本文介绍如何在Resin服务器中配置会话管理参数,包括设置会话超时时间、最大活动会话数等。此外还介绍了如何通过配置项如cookie-domain、cookie-length等来增强会话的安全性和功能性。
In the <web-app-default> block, you can define a <session-config> block:
<session-config>
<session-max>4096</session-max> <!--Default is 4096-->
<session-timeout>20</session-timeout> <!--Default is 30 minutes-->
<enable-url-rewriting>false</enable-url-rewriting>
</session-config>
See <http://caucho.com/resin-3.1/doc/session-tags.xtp> for a list of all the possible session configuration tags.
http://caucho.com/resin-3.1/doc/session-tags.xtp
session tags
| <server> | variables |
Resin adds a number of additions to the standard tag.
- <cookie-domain>
- <cookie-length>
- <cookie-max-age>
- <cookie-version>
- <ignore-serialization-errors>
- <session-config>
- <session-max>
- <save-mode>
- <session-timeout>
child of session-config
<cookie-domain> configures the host domain to use for sessions, i.e. value of the Domain cookie attributes.
By default, browsers only send cookies back to the exact host which sent them. In some virtual host cases, it makes sense to share the same cookie value for multiple virtual hosts in the same domain. For example, might want a single cookie to be used for both and . In this case the cookie-domain would be set to .
<resin xmlns="http://caucho.com/ns/resin">
<cluster id="app-tier">
<host id="caucho.com">
<host-alias>gryffindor.caucho.com</host-alias>
<host-alias>slytherin.caucho.com</host-alias>
<web-app-default>
<session-config cookie-domain="caucho.com"/>
</web-app-default>
</host>
</cluster>
</resin>
child of session-config
<cookie-length> sets the length of the generated cookie value. In some rare cases, the cookie-length might need to be shortened or the cookie-length might be extended to add randomness to the cookie value. For the most part, this value should be left alone.
default 14
child of session-config
<cookie-max-age> sets how long the browser should keep the session cookie.
By default, browsers keep cookies as long as they are open. When the browser is restarted, the cookies are dropped. cookie-max-age tells the browser to keep the cookie for a certain time period. Applications can make this time "infinite" by setting a large number.
<cookie-version> sets the version of the cookie spec for sessions.
default 1.0
child of session-config
<ignore-serialization-errors> is used with persistent sessions in certain rare cases where some session data is serializable and other data is not serializable. <ignore-serialization-errors> simply skips session values which do not implement java.io.Serializable when serializing the session.
default false
Session configuration parameters.
| session-timeout | The session timeout in minutes, 0 means never timeout. | 30 minutes |
Resin adds a number of tags.
| always-load-session | Reload data from the store on every request. (resin 1.2) | false |
| always-save-session | Save session data to the store on every request. (resin 1.2) | false |
| cookie-version | Version of the cookie spec for sessions. (resin 1.2) | 1.0 |
| cookie-domain | Domain for session cookies. (resin 1.2) | none |
| cookie-max-age | Max age for persistent session cookies. (resin 2.0) | none |
| cookie-length | Maximum length of the cookie. (resin 2.1.1) | Integer.MAX_VALUE |
| enable-cookies | Enable cookies for sessions. (resin 1.1) | true |
| enable-url-rewriting | Enable URL rewriting for sessions. (resin 1.1) | true |
| ignore-serialization-errors | When persisting a session, ignore any values which don't implement java.io.Serializable | false |
| invalidate-after-listener | Invalidate the session after notifying session listeners. | false |
| reuse-session-id | Reuse the session id even if the session has timed out. (resin 2.0.4) | true |
| save-only-on-shutdown | Only save session when the application shuts down. (resin 1.2.3) | false |
| ssl-cookie-name | Set a different cookie name to use for SSL connections, and add the "secure" flag when setting the cookie in the browser. | |
| session-max | Maximum active sessions | 4096 |
| use-persistent-store | Uses the current persistent-store to save sessions. (resin 3.0.8) | none |
By default, both enable-cookies and enable-url-rewriting are true. To force url rewriting, you would create a configuration like:
<web-app id='/'> <session-config enable-cookies='false' enable-url-rewriting='true'/> </web-app>
The and are usually used together to control the number of sessions. Sessions are stored in an LRU cache. When the number of sessions in the cache fills up past , the oldest sessions are recovered. In addition, sessions idle for longer than session-timeout are purged.
<web-app id='/dir'>
<session-config>
<!-- 2 hour timeout -->
<session-timeout>120</session-timeout>
<session-max>4096</session-max>
</session-config>
</web-app>
is used to limit the maximum length for the session's generated cookie for special situations like WAP devices. Reducing this value reduces the randomness in the cookie and increases the chance of session collisions.
defaults to true so that Resin can share the session id amongst different web-apps.
The class that corresponds to <session-config> is com.caucho.server.session.SessionManager
child of session-config
<session-max> sets the maximum number of sessions stored in memory for a particular <web-app>. The total number of persisted sessions may be larger.
default 4096
child of session-config
<save-mode> configures when Resin should save a persistence session during a request. The values are:
| after-request | Save the session after the request has been served and completed |
| before-headers | Save the session before sending headers to the browser |
| on-shutdown | Only save the session when Resin is shutting down |
In some situations, like redirects, a fast browser can send a request back to Resin before the session is persisted with the save-mode. If the server is configured without sticky sessions, the load balancer might send the request to a different server, which may not get the updated session. In the situation, either the save-mode should be changed to or sticky sessions should be enabled.
If the save-mode is , the application should take care to make any session changes before sending data to the browser.
default after-request
child of session-config
<session-timeout> sets how long a <web-app> should keep an idle session before invalidating it. The value is specified in minutes.
default 30min
扫一扫
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
