NCister created MYFACES-4297:
--------------------------------
Summary: javax.faces.STATE_SAVING_METHOD behaviour
Key: MYFACES-4297
URL: https://issues.apache.org/jira/browse/MYFACES-4297
Project: MyFaces Core
Issue Type: Bug
Components: General
Affects Versions: 2.3.4, 2.2.12
Environment: Debian 8.4, Debian 9.9
Tomcat 7.0.42 + JDK 1.7.0_71 (myfaces 2.2.12)
TomEE 7.1.1 + JDK 1.8.0_212 (myfaces 2.3.4)
Reporter: NCister
Hi.
It seems to be +no way+ to have stateless behavior in myfaces.
I'm using javax.faces.STATE_SAVING_METHOD = *client* in web.xml (... as also
described in this post:
[https://stackoverflow.com/questions/36650846/when-does-jsf-creates-a-session-what-does-it-puts-in-a-session-map|https://stackoverflow.com/questions/36650846/when-does-jsf-creates-a-session-what-does-it-puts-in-a-session-map)])
but myfaces always create a session to transfer the FacesContext encoding (
why ?)
I've noticed that it happens in *FaceletViewDeclarationLanguage*
getResponseEncoding method.
I've already tested my code in mojarra (2.2 and 2.3) and it works fine (it
don't creates any session if not +explicitly+ requested through a SessionScope
or ViewScope Bean)
This is a big problem because any, simple, JSF (myfaces) page is virtually
exposed to DOS or flooding attacks generating zombie sessions)
Does in myfaces exists a way (that I don't know) to manage stateless pages?
Thanks.
NC
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
