问题
HttpServletRequest's getSession(boolean) method mentions session integrity. How does Tomcat maintains session integrity? What rules does it use? What method? What is happening under the hood precisely?
EDIT
How and when is a specific session ID is created? Does Tomcat rely on IP address and port for example?
回答1:
In Tomcat the ManagerBase.generateSessionId() method is responsible for session id generation. It looks for me that session ids are generated based on random numbers. You can store the client's IP address in the session and check it in your webapp but as far as I know Tomcat does not do that.
About session integrity: could you define it, please? There is a paragraph about it in the Java Servlet Specification, Version 3.0 but it isn't too much:
7.1.4 Session Integrity
Web containers must be able to support the HTTP session while servicing HTTP requests from clients that do not support the use of cookies. To fulfill this requirement, Web containers commonly support the URL rewriting mechanism.
回答2:
This blog gives some details on Session Tracking with cookies with Tomcat.
来源:https://stackoverflow.com/questions/7573420/how-does-tomcat-maintain-session-integrity