You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2020/02/18 09:06:07 UTC
[tomcat] branch master updated: Disable session persistence by
default
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new d59db7a Disable session persistence by default
d59db7a is described below
commit d59db7ae7529fd9f2b067622ae661fd9338b2478
Author: remm <re...@apache.org>
AuthorDate: Tue Feb 18 10:05:49 2020 +0100
Disable session persistence by default
Persistence should be configured explicitly, either with pathname or
when using a persistent manager.
---
TOMCAT-NEXT.txt | 1 +
1 file changed, 1 insertion(+)
diff --git a/TOMCAT-NEXT.txt b/TOMCAT-NEXT.txt
index 3be3e12..a510693 100644
--- a/TOMCAT-NEXT.txt
+++ b/TOMCAT-NEXT.txt
@@ -47,6 +47,7 @@ New items for 10.0.0.x onwards:
7. Refactor DefaultServlet to use Ranges in parseRanges().
+ 8. Disable session persistence: StandardManager.pathname defaults to null.
Deferred until 10.0.x:
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch master updated: Disable session persistence by
default
Posted by Mark Thomas <ma...@apache.org>.
On 18/02/2020 09:42, Rémy Maucherat wrote:
> On Tue, Feb 18, 2020 at 10:32 AM Mark Thomas <markt@apache.org
> <ma...@apache.org>> wrote:
>
> On 18/02/2020 09:06, remm@apache.org <ma...@apache.org> wrote:
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > remm pushed a commit to branch master
> > in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >
> >
> > The following commit(s) were added to refs/heads/master by this push:
> > new d59db7a Disable session persistence by default
> > d59db7a is described below
> >
> > commit d59db7ae7529fd9f2b067622ae661fd9338b2478
> > Author: remm <remm@apache.org <ma...@apache.org>>
> > AuthorDate: Tue Feb 18 10:05:49 2020 +0100
> >
> > Disable session persistence by default
> >
> > Persistence should be configured explicitly, either with
> pathname or
> > when using a persistent manager.
>
> Hmm. I'm not sure about this.
>
> I have no figures to back this up but I imagine quite a few people use
> Tomcat the way I have used it in the past. I have often used Tomcat to
> host some simple services that aren't used very often or where brief
> downtime is OK (so a quick restart to pick up a change isn't an issue)
> but session persistence is useful.
>
> For sure, persistence across restarts is not the solution for production
> systems with high availability requirements.
>
> I guess I'm wondering what are the benefits for doing this. I can see
> some downsides but I'm struggling to see the benefit.
>
>
> It increases shutdown and startup when there are lots of sessions, and
> also uses disk space, and production people have been complaining about
> that in the past (then they disable the feature since it's obviously not
> for them). You also just said it is mostly useless except it might be
> part of the "worst practices" playbook of many people.
Fair enough. I'm convinced.
> On the user list, there's also a person who wants to add saving the
> principal to it, adding more risk (especially in 7.0, 8.5 and 9.0 where
> the principal still includes the clear text password).
I'm just reviewing that proposal now.
> As a result, I think it is better to start phasing out this feature in
> Tomcat 10. The user can then either:
> - configure it back using pathname (it's very easy to do it in
> context.xml - the default context.xml actually includes a commented out
> Manager element to disable persistence, it would switch to enabling it)
That would work for me.
Thanks for the explanation.
Mark
> - use a persistent manager
> - use the delta manager
>
> Rémy
>
>
>
> Mark
>
>
> > ---
> > TOMCAT-NEXT.txt | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/TOMCAT-NEXT.txt b/TOMCAT-NEXT.txt
> > index 3be3e12..a510693 100644
> > --- a/TOMCAT-NEXT.txt
> > +++ b/TOMCAT-NEXT.txt
> > @@ -47,6 +47,7 @@ New items for 10.0.0.x onwards:
> >
> > 7. Refactor DefaultServlet to use Ranges in parseRanges().
> >
> > + 8. Disable session persistence: StandardManager.pathname
> defaults to null.
> >
> > Deferred until 10.0.x:
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> <ma...@tomcat.apache.org>
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> <ma...@tomcat.apache.org>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> <ma...@tomcat.apache.org>
> For additional commands, e-mail: dev-help@tomcat.apache.org
> <ma...@tomcat.apache.org>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch master updated: Disable session persistence by
default
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rémy,
On 2/18/20 04:42, Rémy Maucherat wrote:
> On Tue, Feb 18, 2020 at 10:32 AM Mark Thomas <markt@apache.org
> <ma...@apache.org>> wrote:
>
> On 18/02/2020 09:06, remm@apache.org <ma...@apache.org>
> wrote:
>> This is an automated email from the ASF dual-hosted git
>> repository.
>>
>> remm pushed a commit to branch master in repository
>> https://gitbox.apache.org/repos/asf/tomcat.git
>>
>>
>> The following commit(s) were added to refs/heads/master by this
>> push: new d59db7a Disable session persistence by default d59db7a
>> is described below
>>
>> commit d59db7ae7529fd9f2b067622ae661fd9338b2478 Author: remm
>> <remm@apache.org <ma...@apache.org>> AuthorDate: Tue Feb 18
>> 10:05:49 2020 +0100
>>
>> Disable session persistence by default
>>
>> Persistence should be configured explicitly, either with
> pathname or
>> when using a persistent manager.
>
> Hmm. I'm not sure about this.
>
> I have no figures to back this up but I imagine quite a few people
> use Tomcat the way I have used it in the past. I have often used
> Tomcat to host some simple services that aren't used very often or
> where brief downtime is OK (so a quick restart to pick up a change
> isn't an issue) but session persistence is useful.
>
> For sure, persistence across restarts is not the solution for
> production systems with high availability requirements.
>
> I guess I'm wondering what are the benefits for doing this. I can
> see some downsides but I'm struggling to see the benefit.
>
>
> It increases shutdown and startup when there are lots of sessions,
> and also uses disk space, and production people have been
> complaining about that in the past (then they disable the feature
> since it's obviously not for them).
>
> [...]
>
> As a result, I think it is better to start phasing out this feature
> in Tomcat 10.
+1
It's easy to re-enable.
> You also just said it is mostly useless except it might be part of
> the "worst practices" playbook of many people.
I wouldn't call it a "worst practice". It's just not scalable, and not
appropriate for many environments. If we think that all non-scalable
solutions should be removed, then we should remove the DeltaManager, too
.
> On the user list, there's also a person who wants to add saving the
> principal to it, adding more risk (especially in 7.0, 8.5 and 9.0
> where the principal still includes the clear text password).
There is a better solution to that: stop storing the principal
password. It's pretty much never needed... is it?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5MEBwACgkQHPApP6U8
pFhQSQ/9FYi6zJdEvGvVtAGoO/6/HJJhY17KyVaUEapXHZld0T7op8Ro0UgoM0Mi
mOD2VSolPJW1dHCMcB8ESOySh92yn85k6Iz3eK2dGgxHPyFu5gbQg/ko+0dXagS7
2vQ5JPcNW/iRjXUgkZeX48qLWvlGkemZZl/Gd2AUiRJeuCJFn+jALU3YVIHtwYPT
oh0k5SA3ef2DPWYTfaw7Xk72XIHGR5vgbJBZmcahbavEY2/5XB1/PPK9+Z2KFDZP
fFuVcyP/aeLmbDhTAKbXLCrdYR1FeIL2G8nl6j/+kIX0VStMLsi7YXEDA8YRk4tE
pZgRFQEt89ZLBt38jWlezi240QWXcH31NtTTqLIhHlRlN+VKASlUpqG9yzfEkeis
MingrbOCGbWD42y5vsX+4vInFP535pJztKeKa3FgK8cXX5x999Sg3mrncvl4P8ge
EiSo8zkLmpTlkU+NGz2A0sBlSR5JZQgQClcL+TV5jxStQmkldVSlFKV+Av7QYCK0
UlmKcEHlS4qJMj3gBJu28owbcHI0+HMfdsybsvI8eKChucb8wF0nyYEo7nieGG6A
bTpEb8tO4kBXtjqSy60a7ck1asprPA9STnJS4xm3N4krafbfXi89I7G6QZI5jD4f
z9e9viOpfarI9OSwBDxe+OSYknKtR6EnfOEE+hAn7cvcXsvvc0I=
=3RZd
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch master updated: Disable session persistence by default
Posted by Rémy Maucherat <re...@apache.org>.
On Tue, Feb 18, 2020 at 10:32 AM Mark Thomas <ma...@apache.org> wrote:
> On 18/02/2020 09:06, remm@apache.org wrote:
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > remm pushed a commit to branch master
> > in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >
> >
> > The following commit(s) were added to refs/heads/master by this push:
> > new d59db7a Disable session persistence by default
> > d59db7a is described below
> >
> > commit d59db7ae7529fd9f2b067622ae661fd9338b2478
> > Author: remm <re...@apache.org>
> > AuthorDate: Tue Feb 18 10:05:49 2020 +0100
> >
> > Disable session persistence by default
> >
> > Persistence should be configured explicitly, either with pathname or
> > when using a persistent manager.
>
> Hmm. I'm not sure about this.
>
> I have no figures to back this up but I imagine quite a few people use
> Tomcat the way I have used it in the past. I have often used Tomcat to
> host some simple services that aren't used very often or where brief
> downtime is OK (so a quick restart to pick up a change isn't an issue)
> but session persistence is useful.
>
> For sure, persistence across restarts is not the solution for production
> systems with high availability requirements.
>
> I guess I'm wondering what are the benefits for doing this. I can see
> some downsides but I'm struggling to see the benefit.
>
It increases shutdown and startup when there are lots of sessions, and also
uses disk space, and production people have been complaining about that in
the past (then they disable the feature since it's obviously not for them).
You also just said it is mostly useless except it might be part of the
"worst practices" playbook of many people.
On the user list, there's also a person who wants to add saving the
principal to it, adding more risk (especially in 7.0, 8.5 and 9.0 where the
principal still includes the clear text password).
As a result, I think it is better to start phasing out this feature in
Tomcat 10. The user can then either:
- configure it back using pathname (it's very easy to do it in context.xml
- the default context.xml actually includes a commented out Manager element
to disable persistence, it would switch to enabling it)
- use a persistent manager
- use the delta manager
Rémy
>
> Mark
>
>
> > ---
> > TOMCAT-NEXT.txt | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/TOMCAT-NEXT.txt b/TOMCAT-NEXT.txt
> > index 3be3e12..a510693 100644
> > --- a/TOMCAT-NEXT.txt
> > +++ b/TOMCAT-NEXT.txt
> > @@ -47,6 +47,7 @@ New items for 10.0.0.x onwards:
> >
> > 7. Refactor DefaultServlet to use Ranges in parseRanges().
> >
> > + 8. Disable session persistence: StandardManager.pathname defaults to
> null.
> >
> > Deferred until 10.0.x:
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: [tomcat] branch master updated: Disable session persistence by
default
Posted by Mark Thomas <ma...@apache.org>.
On 18/02/2020 09:06, remm@apache.org wrote:
> This is an automated email from the ASF dual-hosted git repository.
>
> remm pushed a commit to branch master
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/master by this push:
> new d59db7a Disable session persistence by default
> d59db7a is described below
>
> commit d59db7ae7529fd9f2b067622ae661fd9338b2478
> Author: remm <re...@apache.org>
> AuthorDate: Tue Feb 18 10:05:49 2020 +0100
>
> Disable session persistence by default
>
> Persistence should be configured explicitly, either with pathname or
> when using a persistent manager.
Hmm. I'm not sure about this.
I have no figures to back this up but I imagine quite a few people use
Tomcat the way I have used it in the past. I have often used Tomcat to
host some simple services that aren't used very often or where brief
downtime is OK (so a quick restart to pick up a change isn't an issue)
but session persistence is useful.
For sure, persistence across restarts is not the solution for production
systems with high availability requirements.
I guess I'm wondering what are the benefits for doing this. I can see
some downsides but I'm struggling to see the benefit.
Mark
> ---
> TOMCAT-NEXT.txt | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/TOMCAT-NEXT.txt b/TOMCAT-NEXT.txt
> index 3be3e12..a510693 100644
> --- a/TOMCAT-NEXT.txt
> +++ b/TOMCAT-NEXT.txt
> @@ -47,6 +47,7 @@ New items for 10.0.0.x onwards:
>
> 7. Refactor DefaultServlet to use Ranges in parseRanges().
>
> + 8. Disable session persistence: StandardManager.pathname defaults to null.
>
> Deferred until 10.0.x:
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org