You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomee.apache.org by Ronny Karallus <ro...@gmail.com> on 2013/09/11 23:06:28 UTC

OpenEJBHttpServer Responses will always have a session?

Diging for another problem in the source code I found the following piece
of code that is called on
org.apache.openejb.server.httpd.HttpResponseImpl.writeMessage(...) - so
pretty much on any response for the OpenEJBHttpServer:

    /** closes the message sent to the browser
     */
    private void closeMessage() {
        setContentLengthHeader();
        setCookieHeader();
    }

    private void setCookieHeader() {
        if (request == null || request.getSession() == null) return;

        HttpSession session = request.getSession(false);

        if (session == null) return;

<= the session will never be null here because you are calling
request.getSession(true) implicitly in line 1 of setCookieHeader() which
will create a session if there is none. This will in the end mean that
every request hitting the appserver will create a session even if it doesnt
require one ...

I am wondering if this is really on purpose or if this is a bug that needs
to be posted ... I found this in trunk and in version 1.5.2

Thanks

Re: OpenEJBHttpServer Responses will always have a session?

Posted by Romain Manni-Bucau <rm...@gmail.com>.

Thanks for the report: https://issues.apache.org/jira/browse/TOMEE-1028

*Romain Manni-Bucau*
*Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
*Blog: **http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/>
*LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
*Github: https://github.com/rmannibucau*



2013/9/11 Ronny Karallus <ro...@gmail.com>

> Diging for another problem in the source code I found the following piece
> of code that is called on
> org.apache.openejb.server.httpd.HttpResponseImpl.writeMessage(...) - so
> pretty much on any response for the OpenEJBHttpServer:
>
>     /** closes the message sent to the browser
>      */
>     private void closeMessage() {
>         setContentLengthHeader();
>         setCookieHeader();
>     }
>
>     private void setCookieHeader() {
>         if (request == null || request.getSession() == null) return;
>
>         HttpSession session = request.getSession(false);
>
>         if (session == null) return;
>
> <= the session will never be null here because you are calling
> request.getSession(true) implicitly in line 1 of setCookieHeader() which
> will create a session if there is none. This will in the end mean that
> every request hitting the appserver will create a session even if it doesnt
> require one ...
>
> I am wondering if this is really on purpose or if this is a bug that needs
> to be posted ... I found this in trunk and in version 1.5.2
>
> Thanks
>