HI Christopher,
The problem is not that the "poorly" configured browser or web application.
When you have a web application open to the internet you can not guarantee that
all of your clients will behave as you wish.
Right now it is very easy to write a simple script and create too much
sessions.
one article on the subject:
http://www.tomcatexpert.com/blog/2011/05/18/crawler-session-manager-valve
for the last 12 years I am writing web applications. I know how to manage the
session in the servlet or jsp . The point is that even in the very big projects
there are people/developers that do not now exactly how the session lifecycle
is working on the running web container. It would be nice if there are flags
to helps the minimize the risks.
The main point was that , if you did not specify the session attribute on the
jsp , even if you do not use a session, every time for every request ( assuming
the client does not send session cookie - as bots do in the article above ) a
new session is created .
Here I am not telling that we need to change the standards, I am suggesting to
add a variable so for this session behavior, with default value running as it
is right now, you need to check other lazy session creation change to value,
restart the application. We will not dictate any thing, will not change
anything.
best regards.
Gunay Arslan
On Apr 26, 2012, at 5:07 PM, Christopher Schultz wrote:
> Gunay,
>
> On 4/24/12 2:50 AM, gunay arslan wrote:
>> As a web application developer, I needed to stop creation vast amount
>> of "dummy" sessions, that is why I proposed this.
>
> I understand what you want.
>
>> I understand that specs are important and there are vast amount of
>> software that requires these spec to be applied to run.
>
> Good.
>
>> What I am proposing is , we can add a non-distructive variable with
>> default value working as the spec dictates. If anyone want to optimize
>> session creation they can change the value. There are many such
>> variables across the tomcat, that you can tweak.
>
> The only way I can think of to do this would be to add yet another
> wrapper around the HttpSession that may or may not be connected to a
> real session. But then, checks like this in a JSP:
>
> if(null == session)
>
> ...would suggest that the session actually exists while
> "session.getAttribute" may fail because the session isn't real. I
> suppose you could lazily-create the session at that point if you wanted,
> but I think most people would argue that this should be the
> responsibility of the web application.
>
> By the way, you can certainly build what I've described above as a
> fairly simple Filter.
>
>> My business is running on top of Tomcat, it is important for me to
>> have a better Tomcat, more reliable, more high-performance.
>
> Is Tomcat not reliable for you? It seems to work quite well for many of us.
>
>> BTW. send-replace method does not solve the problem
>>
>> a very common pattern in a jsp/jstl is
>>
>> <c:if test="${sesssionScope.xxxx } >
>> ---
>> </c:if>
>>
>>
>> where test test is performed on existence of a variable in session.
>
> So, you don't want to create the session but you want to inspect it for
> certain values without performing null-checks?
>
>> at this point I want this jsp to run without a problem but,
>> the scop should be run without a problem on existing session
>> if session does not exists then a new session should not be created
>>
>> if I say session="true" on top of jsp, then every time a new session is
>> created.
>
> No, a session should only be created for each client that arrives, not
> for every request (unless you have poorly-behaved clients that don't
> send HTTP cookies back to the server, or if you have a poorly-written
> webapp that does not properly rewrite URLs to include session identifiers).
>
> The basic idea here is that your page either does or does not require a
> session. If it doesn't require a session, then don't use a session, and
> set your JSP to session="false". If it does use a session, then state
> session="true" and go ahead and use the session. You can't really have
> it both ways unless you want to code your way around it. Note that
> anyone who reads your code will probably be surprised by this kind of
> customization, because it is certainly non-standard.
>
>> If I say session="false" then eve if there is a session available ,
>> it is not transferred to the jsp
>
> You can always do this:
>
> HttpSession mySession = request.getSession(false);
>
> That will not create a session if it doesn't exist (and return null) or
> it will give you the existing session.
>
>> maybe a lighter solution will be putting
>> a session to page even when session="false" , in case there is an
>> existing session ?
>
> Again, your page either does or does not use sessions. You can't have it
> both ways. If you want to write a Filter to change that, you can do it
> quite easily.
>
> -chris
>
