Re: asp file and session creation

[gunay arslan]

HI Konstantin, Seems like I could not explain what exactly I was trying to show. A reference implementation of the PageContextImpl is attached, and I tested this with one of our in-house web application. The point is   1) Spec says that a session variable needs to be present: but this creates a  problem for the web applications, as a simple attack to a web application can force creation of dummy sessions, filling the memory. Most of the applications are using some sort of persistent session management, which is another problem, as this increases the processing time , for these dummy sessions. 2) Most of the applications do not use the session inside the jsp , so why to create a new session  , before it is needed ?? Maybe we can name the definition LAZY_SESSION_CREATION ??  3) Most of the applications , do not create a session in the jsp, the session is created  at the servlet level, and just checked for attribute presence at the jsp level. My point is to reduce the number of "useless created sessions",  the same problem was described at http://www.tomcatexpert.com/blog/2011/05/18/crawler-session-manager-valve , showing a simple solution, but this solution does not solve the real problem.

PageContextImpl.java
Description: Binary data

best regards, Gunay Arslan On Apr 21, 2012, at 1:48 AM, Konstantin Kolinko wrote: 2012/4/21 gunay arslan <gunay.ars...@gmail.com>: HI, as the spec dictates every jsp file that specify session="true"  (this is default in tomcat  )  forces a new session to be created, wether or not we are using the session inside the jsp file. the session is triggered for creation at PageContextImpl file, isn't meaningfull  to make this session creation on demand ? It is not possible, because (by specification) the JSP page (unless it has session="false")  needs to have local variable named "session" that can be used from java fragments (aka scriptlets). You cannot create a Java variable "on demand". Note that there is "needsSession" attribute in PageContextImpl#_initialize(..), which is not always true. Most of the jsp files are using the session for checking an attribute presence, so creating a new session just for get operations  is a wast of memory. do I miss something ? I am ready to do the development, maybe someone is working on this already ? Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org