You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by gunay arslan <gu...@gmail.com> on 2012/04/21 00:15:27 UTC
asp file and session creation
HI,
as the spec dictates every jsp file that specify session="true" (this is default in tomcat ) forces a new session to be created, wether or not we are using the session inside the jsp file.
the session is triggered for creation at PageContextImpl file, isn't meaningfull to make this session creation on demand ?
Most of the jsp files are using the session for checking an attribute presence, so creating a new session just for get operations is a wast of memory.
do I miss something ? I am ready to do the development, maybe someone is working on this already ?
best regards,
Gunay Arslan
Re: asp file and session creation
Posted by Tim Funk <fu...@apache.org>.
yes - this is the pattern we use and trivial to put in your own webapp
For completeness ...
in web.xml
<jsp-config>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<include-prelude>/WEB-INF/prelude1.jspf</include-prelude>
</jsp-property-group>
</jsp-config>
prelude1.jspf contents: <%@page session='false' %>
-Tim
On Mon, Apr 23, 2012 at 5:06 PM, Konstantin Kolinko
<kn...@gmail.com>wrote:
> 2012/4/24 Christopher Schultz <ch...@christopherschultz.net>:
> >
> > It might be worthwhile proposing a setting for Jasper where the
> > default "session" setting could be set to "false" (in obvious
> > violation of the servlet specification) so that JSPs must specifically
> > set session="true" in their headers, but such a patch might be very
> > far-reaching.
> >
>
> I wonder whether this is already possible to do using
> "jsp-property-group" + "include-prelude" in web.xml.
>
Re: asp file and session creation
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/4/24 Christopher Schultz <ch...@christopherschultz.net>:
>
> It might be worthwhile proposing a setting for Jasper where the
> default "session" setting could be set to "false" (in obvious
> violation of the servlet specification) so that JSPs must specifically
> set session="true" in their headers, but such a patch might be very
> far-reaching.
>
I wonder whether this is already possible to do using
"jsp-property-group" + "include-prelude" in web.xml.
Just saying.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: asp file and session creation
Posted by gunay arslan <gu...@gmail.com>.
Sorry Mark,
I did not ignored moving the issue to the user list, I tried to reply on user list email, but because I am not subscribed to there my email failed (naturally), I do not want to subscribe to the list, as the volume of email is pretty high.
I did not ask just question, I also send a code to solve a problem, maybe only me treated this as a problem. I just wanted to contribute back, right now my tomcat instances are running with modification code.
Anyway if you think this as a garbage, just throw away.
Sorry for taking your time, and sorry from the whole group for disturbing
best regards.
Gunay Arslan
On Apr 26, 2012, at 10:00 PM, Mark Thomas wrote:
> On 26/04/2012 19:54, gunay arslan wrote:
>> Here I am not telling that we need to change the standards, I am
>> suggesting to add a variable so for this session behavior, with
>> default value running as it is right now, you need to check other
>> lazy session creation change to value, restart the application. We
>> will not dictate any thing, will not change anything.
>
> Actually the problem here is folks that ask user questions on the dev
> list and then ignore the instruction to move the issue to the users list
> where they would find that they have already been given the answer as to
> how avoiding large numbers of sessions is already supported within the
> current specifications and several previous versions.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: asp file and session creation
Posted by Mark Thomas <ma...@apache.org>.
On 26/04/2012 19:54, gunay arslan wrote:
> Here I am not telling that we need to change the standards, I am
> suggesting to add a variable so for this session behavior, with
> default value running as it is right now, you need to check other
> lazy session creation change to value, restart the application. We
> will not dictate any thing, will not change anything.
Actually the problem here is folks that ask user questions on the dev
list and then ignore the instruction to move the issue to the users list
where they would find that they have already been given the answer as to
how avoiding large numbers of sessions is already supported within the
current specifications and several previous versions.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: asp file and session creation
Posted by gunay arslan <gu...@gmail.com>.
HI Christopher,
The problem is not that the "poorly" configured browser or web application. When you have a web application open to the internet you can not guarantee that all of your clients will behave as you wish.
Right now it is very easy to write a simple script and create too much sessions.
one article on the subject: http://www.tomcatexpert.com/blog/2011/05/18/crawler-session-manager-valve
for the last 12 years I am writing web applications. I know how to manage the session in the servlet or jsp . The point is that even in the very big projects there are people/developers that do not now exactly how the session lifecycle is working on the running web container. It would be nice if there are flags to helps the minimize the risks.
The main point was that , if you did not specify the session attribute on the jsp , even if you do not use a session, every time for every request ( assuming the client does not send session cookie - as bots do in the article above ) a new session is created .
Here I am not telling that we need to change the standards, I am suggesting to add a variable so for this session behavior, with default value running as it is right now, you need to check other lazy session creation change to value, restart the application. We will not dictate any thing, will not change anything.
best regards.
Gunay Arslan
On Apr 26, 2012, at 5:07 PM, Christopher Schultz wrote:
> Gunay,
>
> On 4/24/12 2:50 AM, gunay arslan wrote:
>> As a web application developer, I needed to stop creation vast amount
>> of "dummy" sessions, that is why I proposed this.
>
> I understand what you want.
>
>> I understand that specs are important and there are vast amount of
>> software that requires these spec to be applied to run.
>
> Good.
>
>> What I am proposing is , we can add a non-distructive variable with
>> default value working as the spec dictates. If anyone want to optimize
>> session creation they can change the value. There are many such
>> variables across the tomcat, that you can tweak.
>
> The only way I can think of to do this would be to add yet another
> wrapper around the HttpSession that may or may not be connected to a
> real session. But then, checks like this in a JSP:
>
> if(null == session)
>
> ...would suggest that the session actually exists while
> "session.getAttribute" may fail because the session isn't real. I
> suppose you could lazily-create the session at that point if you wanted,
> but I think most people would argue that this should be the
> responsibility of the web application.
>
> By the way, you can certainly build what I've described above as a
> fairly simple Filter.
>
>> My business is running on top of Tomcat, it is important for me to
>> have a better Tomcat, more reliable, more high-performance.
>
> Is Tomcat not reliable for you? It seems to work quite well for many of us.
>
>> BTW. send-replace method does not solve the problem
>>
>> a very common pattern in a jsp/jstl is
>>
>> <c:if test="${sesssionScope.xxxx } >
>> ---
>> </c:if>
>>
>>
>> where test test is performed on existence of a variable in session.
>
> So, you don't want to create the session but you want to inspect it for
> certain values without performing null-checks?
>
>> at this point I want this jsp to run without a problem but,
>> the scop should be run without a problem on existing session
>> if session does not exists then a new session should not be created
>>
>> if I say session="true" on top of jsp, then every time a new session is created.
>
> No, a session should only be created for each client that arrives, not
> for every request (unless you have poorly-behaved clients that don't
> send HTTP cookies back to the server, or if you have a poorly-written
> webapp that does not properly rewrite URLs to include session identifiers).
>
> The basic idea here is that your page either does or does not require a
> session. If it doesn't require a session, then don't use a session, and
> set your JSP to session="false". If it does use a session, then state
> session="true" and go ahead and use the session. You can't really have
> it both ways unless you want to code your way around it. Note that
> anyone who reads your code will probably be surprised by this kind of
> customization, because it is certainly non-standard.
>
>> If I say session="false" then eve if there is a session available ,
>> it is not transferred to the jsp
>
> You can always do this:
>
> HttpSession mySession = request.getSession(false);
>
> That will not create a session if it doesn't exist (and return null) or
> it will give you the existing session.
>
>> maybe a lighter solution will be putting
>> a session to page even when session="false" , in case there is an
>> existing session ?
>
> Again, your page either does or does not use sessions. You can't have it
> both ways. If you want to write a Filter to change that, you can do it
> quite easily.
>
> -chris
>
Re: asp file and session creation
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Gunay,
On 4/24/12 2:50 AM, gunay arslan wrote:
> As a web application developer, I needed to stop creation vast amount
> of "dummy" sessions, that is why I proposed this.
I understand what you want.
> I understand that specs are important and there are vast amount of
> software that requires these spec to be applied to run.
Good.
> What I am proposing is , we can add a non-distructive variable with
> default value working as the spec dictates. If anyone want to optimize
> session creation they can change the value. There are many such
> variables across the tomcat, that you can tweak.
The only way I can think of to do this would be to add yet another
wrapper around the HttpSession that may or may not be connected to a
real session. But then, checks like this in a JSP:
if(null == session)
...would suggest that the session actually exists while
"session.getAttribute" may fail because the session isn't real. I
suppose you could lazily-create the session at that point if you wanted,
but I think most people would argue that this should be the
responsibility of the web application.
By the way, you can certainly build what I've described above as a
fairly simple Filter.
> My business is running on top of Tomcat, it is important for me to
> have a better Tomcat, more reliable, more high-performance.
Is Tomcat not reliable for you? It seems to work quite well for many of us.
> BTW. send-replace method does not solve the problem
>
> a very common pattern in a jsp/jstl is
>
> <c:if test="${sesssionScope.xxxx } >
> ---
> </c:if>
>
>
> where test test is performed on existence of a variable in session.
So, you don't want to create the session but you want to inspect it for
certain values without performing null-checks?
> at this point I want this jsp to run without a problem but,
> the scop should be run without a problem on existing session
> if session does not exists then a new session should not be created
>
> if I say session="true" on top of jsp, then every time a new session is created.
No, a session should only be created for each client that arrives, not
for every request (unless you have poorly-behaved clients that don't
send HTTP cookies back to the server, or if you have a poorly-written
webapp that does not properly rewrite URLs to include session identifiers).
The basic idea here is that your page either does or does not require a
session. If it doesn't require a session, then don't use a session, and
set your JSP to session="false". If it does use a session, then state
session="true" and go ahead and use the session. You can't really have
it both ways unless you want to code your way around it. Note that
anyone who reads your code will probably be surprised by this kind of
customization, because it is certainly non-standard.
> If I say session="false" then eve if there is a session available ,
> it is not transferred to the jsp
You can always do this:
HttpSession mySession = request.getSession(false);
That will not create a session if it doesn't exist (and return null) or
it will give you the existing session.
> maybe a lighter solution will be putting
> a session to page even when session="false" , in case there is an
> existing session ?
Again, your page either does or does not use sessions. You can't have it
both ways. If you want to write a Filter to change that, you can do it
quite easily.
-chris
Re: asp file and session creation
Posted by gunay arslan <gu...@gmail.com>.
HI Christopher,
As a web application developer, I needed to stop creation vast amount of "dummy" sessions, that is why I proposed this. I understand that specs are important and there are vast amount of
software that requires these spec to be applied to run.
What I am proposing is , we can add a non-distructive variable with default value working as the spec dictates. If anyone want to optimize session creation they can change the value. There are many such variables across the tomcat, that you can tweak.
My business is running on top of Tomcat, it is important for me to have a better Tomcat, more reliable, more high-performance.
BTW. send-replace method does not solve the problem
a very common pattern in a jsp/jstl is
<c:if test="${sesssionScope.xxxx } >
---
</c:if>
where test test is performed on existence of a variable in session.
at this point I want this jsp to run without a problem but,
the scop should be run without a problem on existing session
if session does not exists then a new session should not be created
if I say session="true" on top of jsp, then every time a new session is created. If I say session="false" then eve if there is a session available , it is not transferred to the jsp , maybe a lighter solution will be putting a session to page even when session="false" , in case there is an existing session ?
best regards,
Gunay Arslan
On Apr 23, 2012, at 11:36 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Gunay,
>
> On 4/21/12 2:58 AM, gunay arslan wrote:
>> Seems like I could not explain what exactly I was trying to show.
>> A reference implementation of the PageContextImpl is attached, and
>> I tested this with one of our in-house web application. The point
>> is
>
> This is a discussion best had on the users' list. I'm cross-posting
> here to encourage a transition.
>
>> 1) Spec says that a session variable needs to be present: but this
>> creates a problem for the web applications, as a simple attack to
>> a web application can force creation of dummy sessions, filling the
>> memory. Most of the applications are using some sort of persistent
>> session management, which is another problem, as this increases the
>> processing time , for these dummy sessions.
>
> There are many ways to create a session without even hitting a JSP.
> Closing this "hole" doesn't safeguard the server from such an attack.
> You'll need to use some other mechanism to prevent a malicious client
> from creating sessions without bound.
>
>> 2) Most of the applications do not use the session inside the jsp
>
> That's not only a fairly big assertion, it also suggests that it's
> okay to violate the spec. Which is not a good idea.
>
>> , so why to create a new session , before it is needed ?? Maybe we
>> can name the definition LAZY_SESSION_CREATION ??
>
> Konstantin already explained that there needs to be a local variable
> available called "session" for scriptlets. If the spec required that
> all session access be routed through some method (such as
> HttpServletRequest.getSession), then your suggestion might be
> possible. Instead, the spec requires that there be a valid, non-null
> local variable available to scriplets. This is not possible with any
> kind of lazy-loading scenario.
>
>> 3) Most of the applications , do not create a session in the jsp,
>> the session is created at the servlet level, and just checked for
>> attribute presence at the jsp level.
>
> Another fairly big assertion. Maybe this is how things are in your own
> webapp, but yours is different from everyone else's.
>
>> My point is to reduce the number of "useless created sessions",
>> the same problem was described at
>> http://www.tomcatexpert.com/blog/2011/05/18/crawler-session-manager-valve
>> , showing a simple solution, but this solution does not solve the
>> real problem.
>
> The real problem is that the webapp is (perhaps inadvertently)
> requesting that the container create sessions when they are not
> necessary. The solution is to fix the webapp. Tomcat can only be
> leveraged to stop the bleeding while you go repair the root of the
> problem.
>
> It might be worthwhile proposing a setting for Jasper where the
> default "session" setting could be set to "false" (in obvious
> violation of the servlet specification) so that JSPs must specifically
> set session="true" in their headers, but such a patch might be very
> far-reaching.
>
> Personally, I would find it easier to write a simple
> search-and-replace (search-and-add?) script to find JSPs that don't
> need sessions and set session="false" in their <%...@page> directives.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk+VvUkACgkQ9CaO5/Lv0PCmPwCdH8qhXYPjpGvJICnMRIa7Dq2/
> qrYAnjEy4X0oU//7UB+0y44aRGtVupfN
> =rkI8
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
Re: asp file and session creation
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gunay,
On 4/21/12 2:58 AM, gunay arslan wrote:
> Seems like I could not explain what exactly I was trying to show.
> A reference implementation of the PageContextImpl is attached, and
> I tested this with one of our in-house web application. The point
> is
This is a discussion best had on the users' list. I'm cross-posting
here to encourage a transition.
> 1) Spec says that a session variable needs to be present: but this
> creates a problem for the web applications, as a simple attack to
> a web application can force creation of dummy sessions, filling the
> memory. Most of the applications are using some sort of persistent
> session management, which is another problem, as this increases the
> processing time , for these dummy sessions.
There are many ways to create a session without even hitting a JSP.
Closing this "hole" doesn't safeguard the server from such an attack.
You'll need to use some other mechanism to prevent a malicious client
from creating sessions without bound.
> 2) Most of the applications do not use the session inside the jsp
That's not only a fairly big assertion, it also suggests that it's
okay to violate the spec. Which is not a good idea.
> , so why to create a new session , before it is needed ?? Maybe we
> can name the definition LAZY_SESSION_CREATION ??
Konstantin already explained that there needs to be a local variable
available called "session" for scriptlets. If the spec required that
all session access be routed through some method (such as
HttpServletRequest.getSession), then your suggestion might be
possible. Instead, the spec requires that there be a valid, non-null
local variable available to scriplets. This is not possible with any
kind of lazy-loading scenario.
> 3) Most of the applications , do not create a session in the jsp,
> the session is created at the servlet level, and just checked for
> attribute presence at the jsp level.
Another fairly big assertion. Maybe this is how things are in your own
webapp, but yours is different from everyone else's.
> My point is to reduce the number of "useless created sessions",
> the same problem was described at
> http://www.tomcatexpert.com/blog/2011/05/18/crawler-session-manager-valve
> , showing a simple solution, but this solution does not solve the
> real problem.
The real problem is that the webapp is (perhaps inadvertently)
requesting that the container create sessions when they are not
necessary. The solution is to fix the webapp. Tomcat can only be
leveraged to stop the bleeding while you go repair the root of the
problem.
It might be worthwhile proposing a setting for Jasper where the
default "session" setting could be set to "false" (in obvious
violation of the servlet specification) so that JSPs must specifically
set session="true" in their headers, but such a patch might be very
far-reaching.
Personally, I would find it easier to write a simple
search-and-replace (search-and-add?) script to find JSPs that don't
need sessions and set session="false" in their <%...@page> directives.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk+VvUkACgkQ9CaO5/Lv0PCmPwCdH8qhXYPjpGvJICnMRIa7Dq2/
qrYAnjEy4X0oU//7UB+0y44aRGtVupfN
=rkI8
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: asp file and session creation
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gunay,
On 4/21/12 2:58 AM, gunay arslan wrote:
> Seems like I could not explain what exactly I was trying to show.
> A reference implementation of the PageContextImpl is attached, and
> I tested this with one of our in-house web application. The point
> is
This is a discussion best had on the users' list. I'm cross-posting
here to encourage a transition.
> 1) Spec says that a session variable needs to be present: but this
> creates a problem for the web applications, as a simple attack to
> a web application can force creation of dummy sessions, filling the
> memory. Most of the applications are using some sort of persistent
> session management, which is another problem, as this increases the
> processing time , for these dummy sessions.
There are many ways to create a session without even hitting a JSP.
Closing this "hole" doesn't safeguard the server from such an attack.
You'll need to use some other mechanism to prevent a malicious client
from creating sessions without bound.
> 2) Most of the applications do not use the session inside the jsp
That's not only a fairly big assertion, it also suggests that it's
okay to violate the spec. Which is not a good idea.
> , so why to create a new session , before it is needed ?? Maybe we
> can name the definition LAZY_SESSION_CREATION ??
Konstantin already explained that there needs to be a local variable
available called "session" for scriptlets. If the spec required that
all session access be routed through some method (such as
HttpServletRequest.getSession), then your suggestion might be
possible. Instead, the spec requires that there be a valid, non-null
local variable available to scriplets. This is not possible with any
kind of lazy-loading scenario.
> 3) Most of the applications , do not create a session in the jsp,
> the session is created at the servlet level, and just checked for
> attribute presence at the jsp level.
Another fairly big assertion. Maybe this is how things are in your own
webapp, but yours is different from everyone else's.
> My point is to reduce the number of "useless created sessions",
> the same problem was described at
> http://www.tomcatexpert.com/blog/2011/05/18/crawler-session-manager-valve
> , showing a simple solution, but this solution does not solve the
> real problem.
The real problem is that the webapp is (perhaps inadvertently)
requesting that the container create sessions when they are not
necessary. The solution is to fix the webapp. Tomcat can only be
leveraged to stop the bleeding while you go repair the root of the
problem.
It might be worthwhile proposing a setting for Jasper where the
default "session" setting could be set to "false" (in obvious
violation of the servlet specification) so that JSPs must specifically
set session="true" in their headers, but such a patch might be very
far-reaching.
Personally, I would find it easier to write a simple
search-and-replace (search-and-add?) script to find JSPs that don't
need sessions and set session="false" in their <%...@page> directives.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk+VvUkACgkQ9CaO5/Lv0PCmPwCdH8qhXYPjpGvJICnMRIa7Dq2/
qrYAnjEy4X0oU//7UB+0y44aRGtVupfN
=rkI8
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: asp file and session creation
Posted by gunay arslan <gu...@gmail.com>.
HI Konstantin,
Seems like I could not explain what exactly I was trying to show. A reference implementation of the PageContextImpl is attached, and I tested this with one of our in-house web application.
The point is
1) Spec says that a session variable needs to be present: but this creates a problem for the web applications, as a simple attack to a web application can force creation of dummy sessions, filling the memory. Most of the applications are using some sort of persistent session management, which is another problem, as this increases the processing time , for these dummy sessions.
2) Most of the applications do not use the session inside the jsp , so why to create a new session , before it is needed ?? Maybe we can name the definition LAZY_SESSION_CREATION ??
3) Most of the applications , do not create a session in the jsp, the session is created at the servlet level, and just checked for attribute presence at the jsp level.
My point is to reduce the number of "useless created sessions", the same problem was described at http://www.tomcatexpert.com/blog/2011/05/18/crawler-session-manager-valve , showing a simple solution, but this solution does not solve the real problem.
best regards,
Gunay Arslan
On Apr 21, 2012, at 1:48 AM, Konstantin Kolinko wrote:
> 2012/4/21 gunay arslan <gu...@gmail.com>:
>> HI,
>>
>> as the spec dictates every jsp file that specify session="true" (this is default in tomcat ) forces a new session to be created, wether or not we are using the session inside the jsp file.
>>
>> the session is triggered for creation at PageContextImpl file, isn't meaningfull to make this session creation on demand ?
>
> It is not possible, because (by specification) the JSP page (unless it
> has session="false") needs to have local variable named "session"
> that can be used from
> java fragments (aka scriptlets).
>
> You cannot create a Java variable "on demand".
>
> Note that there is "needsSession" attribute in
> PageContextImpl#_initialize(..), which is not always true.
>
>
>> Most of the jsp files are using the session for checking an attribute presence, so creating a new session just for get operations is a wast of memory.
>> do I miss something ? I am ready to do the development, maybe someone is working on this already ?
>
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
Re: asp file and session creation
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/4/21 gunay arslan <gu...@gmail.com>:
> HI,
>
> as the spec dictates every jsp file that specify session="true" (this is default in tomcat ) forces a new session to be created, wether or not we are using the session inside the jsp file.
>
> the session is triggered for creation at PageContextImpl file, isn't meaningfull to make this session creation on demand ?
It is not possible, because (by specification) the JSP page (unless it
has session="false") needs to have local variable named "session"
that can be used from
java fragments (aka scriptlets).
You cannot create a Java variable "on demand".
Note that there is "needsSession" attribute in
PageContextImpl#_initialize(..), which is not always true.
> Most of the jsp files are using the session for checking an attribute presence, so creating a new session just for get operations is a wast of memory.
> do I miss something ? I am ready to do the development, maybe someone is working on this already ?
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org