Skip to main content

[webtier] Re: How to Disable HttpSessions?

3 replies [Last post]
Anonymous

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Jan Luehe

On 04/30/09 01:16 PM, Jan Luehe wrote:
> On 04/30/09 09:32 AM, glassfish@javadesktop.org wrote:
>> Hello all,
>>
>> I need to make my web application completely stateless, and thus
>> would like to turn off http session generation by the app server (ie,
>> no memory consumed, no jsessionid generation, etc). These are
>> business requirements (not my fault!). In any event, the only thing
>> I've done is set the JSP tags to not participate in sessions - but I
>> don't see anything in the sun-web.xml that indicates if GlassFish can
>> be told to NOT create a session. Is this possible, and if so, where
>> is that configured (short of me writing a servlet filter that
>> programmatically calls session.invalidate() ) ?
>>
>
> There is no such config option available, as it would be in violation
> of the Servlet spec,
> which requires that a call to HttpServletRequest#getSession create a
> session if one does
> not already exist.

I was able to think of a simple and portable solution when this issue
was brought up again
during a meeting earlier this morning: How about declaring an
HttpSessionListener in your app,
and implementing its sessionCreated callback such that it throws an
IllegalStateException?

Jan

> http://forums.java.net/jive/thread.jspa?messageID=344520
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: webtier-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: webtier-help@glassfish.dev.java.net

Wolfram Rittmeyer

Jan Luehe wrote:
> On 04/30/09 01:16 PM, Jan Luehe wrote:
>> On 04/30/09 09:32 AM, glassfish@javadesktop.org wrote:
>>> Hello all,
>>>
>>> I need to make my web application completely stateless, and thus
>>> would like to turn off http session generation by the app server (ie,
>>> no memory consumed, no jsessionid generation, etc). These are
>>> business requirements (not my fault!). In any event, the only thing
>>> I've done is set the JSP tags to not participate in sessions - but I
>>> don't see anything in the sun-web.xml that indicates if GlassFish can
>>> be told to NOT create a session. Is this possible, and if so, where
>>> is that configured (short of me writing a servlet filter that
>>> programmatically calls session.invalidate() ) ?
>>>
>>
>> There is no such config option available, as it would be in violation
>> of the Servlet spec,
>> which requires that a call to HttpServletRequest#getSession create a
>> session if one does
>> not already exist.
>
> I was able to think of a simple and portable solution when this issue
> was brought up again
> during a meeting earlier this morning: How about declaring an
> HttpSessionListener in your app,
> and implementing its sessionCreated callback such that it throws an
> IllegalStateException?
>
> Jan

Jan,

I might be daft, but I still do not see the issue here. If there is a
requirement not to use any session - why then would one call
getSession() or getSession(true) in the first place? And as long as
these methods are not called - no session gets created anyway.

Also, the listener's sessionCreated gets notified when the session
already has been created - thus too late for the requirement not to
create a session.

What do I miss here?

--
Wolfram Rittmeyer

---------------------------------------------------------------------
To unsubscribe, e-mail: webtier-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: webtier-help@glassfish.dev.java.net

Jan Luehe

Wolfram,

On 06/ 6/09 11:35 AM, Wolfram Rittmeyer wrote:
> Jan Luehe wrote:
>> On 04/30/09 01:16 PM, Jan Luehe wrote:
>>> On 04/30/09 09:32 AM, glassfish@javadesktop.org wrote:
>>>> Hello all,
>>>>
>>>> I need to make my web application completely stateless, and thus
>>>> would like to turn off http session generation by the app server
>>>> (ie, no memory consumed, no jsessionid generation, etc). These are
>>>> business requirements (not my fault!). In any event, the only
>>>> thing I've done is set the JSP tags to not participate in sessions
>>>> - but I don't see anything in the sun-web.xml that indicates if
>>>> GlassFish can be told to NOT create a session. Is this possible,
>>>> and if so, where is that configured (short of me writing a servlet
>>>> filter that programmatically calls session.invalidate() ) ?
>>>>
>>>
>>> There is no such config option available, as it would be in
>>> violation of the Servlet spec,
>>> which requires that a call to HttpServletRequest#getSession create a
>>> session if one does
>>> not already exist.
>>
>> I was able to think of a simple and portable solution when this issue
>> was brought up again
>> during a meeting earlier this morning: How about declaring an
>> HttpSessionListener in your app,
>> and implementing its sessionCreated callback such that it throws an
>> IllegalStateException?
>>
>> Jan
>
> Jan,
>
> I might be daft, but I still do not see the issue here. If there is a
> requirement not to use any session - why then would one call
> getSession() or getSession(true) in the first place? And as long as
> these methods are not called - no session gets created anyway.

The issue was brought up at the JSR 315 meeting during JavaOne last
week. Being able to suppress session creation at the application level
may be
useful if your application bundles 3rd party code, in which case it may
be impossible
or too tedious to inspect that code for any calls to
HttpServletRequest#getSession(true).

>
> Also, the listener's sessionCreated gets notified when the session
> already has been created - thus too late for the requirement not to
> create a session.

Right, but HttpSessionListener#sessionCreated is called as part of
HttpServletRequest#getSession(true), which means that if one of the
invoked listeners throws an exception, then no session will be returned
to the caller. This approach is really only intended to catch and flag any
"accidental" session creation.

Jan
>
> What do I miss here?
>
>
> --
> Wolfram Rittmeyer
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: webtier-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: webtier-help@glassfish.dev.java.net
>

---------------------------------------------------------------------
To unsubscribe, e-mail: webtier-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: webtier-help@glassfish.dev.java.net