Session系列之三（session在Tomcat中的相关配置）

Set to true
 if you want cookies to be used for session identifier communication if supported by the client (this is the default). Set to false
 if you want to disable the use of cookies for session identifier communication, and rely only on URL rewriting by the application.

The domain to be used for all session cookies created for this context. If set, this overrides any domain set by the web application. If not set, the value specified by the web application, if any, will be used.

The name to be used for all session cookies created for this context. If set, this overrides any name set by the web application. If not set, the value specified by the web application, if any, will be used, or the name JSESSIONID
 if the web application does not explicitly set one.

The path to be used for all session cookies created for this context. If set, this overrides any path set by the web application. If not set, the value specified by the web application will be used, or the context path used if the web application does not explicitly set one. To configure all web application to use an empty path (this can be useful for portlet specification implementations) set this attribute to /
 in the global CATALINA_BASE/conf/context.xml
 file.

Note: Once one web application using sessionCookiePath="/"
 obtains a session, all subsequent sessions for any other web application in the same host also configured with sessionCookiePath="/"
will always use the same session ID. This holds even if the session is invalidated and a new one created. This makes session fixation protection more difficult and requires custom, Tomcat specific code to change the session ID shared by the multiple applications.

Some browsers, such as IE, will send a session cookie for a context with a path of /foo with a request to /foobar. To prevent this, Tomcat will add a trailing slash to the path associated with the session cookie so, in the above example, the cookie path becomes /foo/. However, with a cookie path of /foo/, IE will no longer send the cookie with a request to /foo. This should not be a problem unless there is a servlet mapped to /*. In this case this feature will need to be disabled. The default value for this attribute istrue.
 To disable this feature, set the attribute to false
.

Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to true
.

When a client provides the ID for a new session, this attribute controls whether that ID is validated. The only use case for using a client provided session ID is to have a common session ID across multiple web applications. Therefore, any client provided session ID should already exist in another web application. If this check is enabled, the client provided session ID will only be used if the session ID exists in at least one other web application for the current host. Note that the following additional tests are always applied, irrespective of this setting:

• The session ID is provided by a cookie

• The session cookie has a path of {@code /}

If not specified, the default value of true
 will be used.

Java class name of the implementation to use. This class must implement the org.apache.catalina.Manager
 interface. If not specified, the standard value (defined below) will be used.

The maximum number of active sessions that will be created by this Manager, or -1
 (the default) for no limit.

When the limit is reached, any attempt to create a new session (e.g. with HttpServletRequest.getSession()
 call) will fail with an IllegalStateException
.

The length of session ids created by this Manager, measured in bytes, excluding subsequent conversion to a hexadecimal string and excluding any JVM route information used for load balancing. This attribute is deprecated. Set the length on a nested SessionIdGenerator element instead.

Java class name of the implementation to use. This class must implement the org.apache.catalina.SessionIdGenerator 
interface. If not specified, the standard value (defined below) will be used.

SessionIdGenerator 的实现类，可以自定义实现，默认为org.apache.catalina.SessionIdGenerator；

A routing identifier for this Tomcat instance. It will be added to the session id to allow for stateless stickyness routing by load balancers. The details on how the jvmRoute
 will be included in the id are implementation dependent. See Standard Implementation for the default behavior.

NOTE - The value for this property is inherited automatically from the jvmRoute
 attribute of the Engine element.

每一个Tomcat实例都对应一个jvmRoute；

The length of session ids created by this SessionIdGenerator. The details on how the sessionIdLength
 influences the session id length are implementation dependent. See Standard Implementation for the default behavior.

产生的sessionid的长度；

Absolute or relative (to the work directory for this Context) pathname of the file in which session state will be preserved across application restarts, if possible. The default is "SESSIONS.ser".
See Persistence Across Restarts for more information. This persistence may be disabled by setting this attribute to an empty string.

SESSIONS.ser是session信息持久化成文件，该pathname代表着路径，如果不写的话，默认在work工作目录下的对应context的文件夹下。

该文件在Tomcat启动的时候会重新load；

Frequency of the session expiration, and related manager operations. Manager operations will be done once for the specified amount of backgroundProcess calls (i.e., the lower the amount, the more often the checks will occur). The minimum value is 1, and the default value is 6.

StandardManager会隔一段时间去check当前session的过期时间，通常这个参数设置的越低，频率越多，消耗的系统资源越多，如果不在意session超时多超出那么几秒，可以设置一个比较大的值；

最低1s，默认6s；

Name of the Java class that extends java.security.SecureRandom
 to use to generate session IDs. If not specified, the default value is java.security.SecureRandom
.

对于SessionID的规则需要一个随机数的计算器，默认是使用java.security.SecureRandom来做的，这里设置设置是哪个自定义的类产生随机数；

Name of the provider to use to create the java.security.SecureRandom
 instances that generate session IDs. If an invalid algorithm and/or provider is specified, the Manager will use the platform default provider and the default algorithm. If not specified, the platform default provider will be used.

随机数的Provider方法，用于创建随机数的；

Name of the algorithm to use to create the java.security.SecureRandom
 instances that generate session IDs. If an invalid algorithm and/or provider is specified, the Manager will use the platform default provider and the default algorithm. If not specified, the default algorithm of SHA1PRNG will be used. If the default algorithm is not supported, the platform default will be used. To specify that the platform default should be used, do not set the secureRandomProvider attribute and set this attribute to the empty string.

如果是自定义的随机数类，这里可以制定使用什么算法，默认使用SHA1PRNG ；

A regular expression used to filter which session attributes will be distributed. An attribute will only be distributed if its name matches this pattern. If the pattern is zero length or null
, all attributes are eligible for distribution. The pattern is anchored so the session attribute name must fully match the pattern. As an example, the value (userName|sessionHistory)
 will only distribute the two session attributes named userName
 and sessionHistory
. If not specified, the default value of null
 will be used.

在tomcat集群的环境中，session是需要被分发的，这个属性是针对于session的attributes集合做一次过滤，只有配置为指定pattern的格式匹配才被分发，如果设置为0或者是null的话，所有的属性都被分发；

A regular expression used to filter which session attributes will be distributed. An attribute will only be distributed if the implementation class name of the value matches this pattern. If the pattern is zero length or null
, all attributes are eligible for distribution. The pattern is anchored so the fully qualified class name must fully match the pattern. If not specified, the default value of null
 will be used unless a SecurityManager
 is enabled in which case the default will be java\\.lang\\.(?:Boolean|Integer|Long|Number|String)
.

与上一个类型，只不过这个属性过滤的是值，并且过滤条件的是值+类型；

If sessionAttributeNameFilter or sessionAttributeValueClassNameFilter blocks an attribute, should this be logged at WARN
 level? If WARN
 level logging is disabled then it will be logged at DEBUG
. The default value of this attribute is false
 unless a SecurityManager
 is enabled in which case the default will be true
.

这个属性是上面两个过滤器设置之后，session分发由于过滤器的限制，阻塞了属性的分发，那么该日志需要进行记录；

It has the same meaning as described in the Common Attributes above. You must specifyorg.apache.catalina.session.PersistentManager
 to use this manager implementation.

className，设置为org.apache.catalina.session. PersistentManager即可，除非你自己还要基于PersistentManager再进行扩展

The time interval (in seconds) since the last access to a session before it is eligible for being persisted to the session store, or -1
 to disable this feature. By default, this feature is disabled.

当前请求访问，记录一下session访问的时间，session空闲了多久，这个时候不能总占用内存，立刻就进行持久化了，而这个时间的间隔，就是该属性

The maximum time a session may be idle before it is eligible to be swapped to disk due to inactivity. Setting this to -1
 means sessions should not be swapped out just because of inactivity. If this feature is enabled, the time interval specified here should be equal to or longer than the value specified for maxIdleBackup
. By default, this feature is disabled.

该属性是maxIdleBackup + session从持久化状态变为内存态的时间 ；肯定比maxIdleBackup 要大；

The minimum time in seconds a session must be idle before it is eligible to be swapped to disk to keep the active session count below maxActiveSessions. Setting to -1
 means sessions will not be swapped out to keep the active session count down. If specified, this value should be less than that specified by maxIdleSwap
. By default, this value is set to -1
.

该属性是maxIdleSwap 相对的一个最小值；

同org.apache.catalina.session.StandardManager

Should all sessions be persisted and reloaded when Tomcat is shut down and restarted (or when this application is reloaded)? By default, this attribute is set to true
.

是否所有的session在Tomcat关闭的时候被持久化，并且在Tomcat启动的时候被reload；默认为true；

该开关是可以关闭的，也就是说直接忽略掉session持久化这个功能；

同org.apache.catalina.session.StandardManager

同org.apache.catalina.session.StandardManager

同org.apache.catalina.session.StandardManager

同org.apache.catalina.session.StandardManager

同org.apache.catalina.session.StandardManager

同org.apache.catalina.session.StandardManager

An alternative name for the single sign on session cookie. Defaults to JSESSIONIDSSO
.

该属性可以修改默认的通过realm登陆之后的session cookie的名称，默认是JSESSIONIDSSO

If this is true
, every request that is associated with a session will cause the session's last accessed time to be updated regardless of whether or not the request explicitly accesses the session.

If org.apache.catalina.STRICT_SERVLET_COMPLIANCE
 is set to true
, the default of this setting will betrue
, else the default value will be false
.

每一个请求都会更新session的last accessed的时间，而对于正常情况来讲，仅仅是在该请求getSession方法或者与session相关的操作调用，才会被算作accesstime，才会更新last accessed time，而当设置这个属性，每一次请求都更新这个时间；

If this is true
, Tomcat will track the number of active requests for each session. When determining if a session is valid, any session with at least one active request will always be considered valid.

If org.apache.catalina.STRICT_SERVLET_COMPLIANCE
 is set to true
, the default of this setting will betrue
, else the default value will be false
.

该属性可以总结为，当前session的活跃请求的一个在线统计值；

If this is true
, the last accessed time for sessions will be calculated from the beginning of the previous request. If false
, the last accessed time for sessions will be calculated from the end of the previous request. This also affects how the idle time is calculated.

If org.apache.catalina.STRICT_SERVLET_COMPLIANCE
 is set to true
, the default of this setting will betrue
, else the default value will be false
.

该属性可以总结为两次last accessed time 之间的间距计算，当为true，间距起止是上一次请求开始到这一次请求开始，当为false，是上一次请求结束到这一次请求开始；