You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Albert Kam <mo...@gmail.com> on 2013/07/16 11:45:33 UTC
Shiro session creation flooding.
I notice that even as an anonymous user, a shiro session is created (and
inserted into my db in my case) at my first access to a web page. After a
successful login, the session record is simply updated with the appropriate
attributes.
Now i tried 'stress-testing' the main page url with :
curl -s "http://myapp.com?[1-1000]"
And my fear came true as i count the created session is as much as the loop.
So the question here is, is there anyway i can avoid having a session
creation flood by a web crawler or a spammer ?
--
Do not pursue the past. Do not lose yourself in the future.
The past no longer is. The future has not yet come.
Looking deeply at life as it is in the very here and now,
the practitioner dwells in stability and freedom.
(Thich Nhat Hanh)
Re: Shiro session creation flooding.
Posted by Albert Kam <mo...@gmail.com>.
Sorry for duplicating this on SO.
The solution which works for me is
/login = authc
/logout = noSessionCreation, logout
/** = noSessionCreation, anon
http://stackoverflow.com/questions/17673190/shiro-session-creation-flooding
Thank you so much.
On Thursday, July 18, 2013, Les Hazlewood wrote:
> <%@ page session="false" %> ?
>
> This is a JSP/Servlet container thing and not Shiro related.
>
> HTH,
>
> Les
>
> On Tue, Jul 16, 2013 at 2:45 AM, Albert Kam <moonblade.wolf@gmail.com<javascript:_e({}, 'cvml', 'moonblade.wolf@gmail.com');>
> > wrote:
>
>> I notice that even as an anonymous user, a shiro session is created (and
>> inserted into my db in my case) at my first access to a web page. After a
>> successful login, the session record is simply updated with the appropriate
>> attributes.
>>
>> Now i tried 'stress-testing' the main page url with :
>>
>> curl -s "http://myapp.com?[1-1000]"
>>
>> And my fear came true as i count the created session is as much as the
>> loop.
>>
>> So the question here is, is there anyway i can avoid having a session
>> creation flood by a web crawler or a spammer ?
>>
>>
>> --
>> Do not pursue the past. Do not lose yourself in the future.
>> The past no longer is. The future has not yet come.
>> Looking deeply at life as it is in the very here and now,
>> the practitioner dwells in stability and freedom.
>> (Thich Nhat Hanh)
>>
>
>
--
Do not pursue the past. Do not lose yourself in the future.
The past no longer is. The future has not yet come.
Looking deeply at life as it is in the very here and now,
the practitioner dwells in stability and freedom.
(Thich Nhat Hanh)
Re: Shiro session creation flooding.
Posted by Les Hazlewood <lh...@apache.org>.
<%@ page session="false" %> ?
This is a JSP/Servlet container thing and not Shiro related.
HTH,
Les
On Tue, Jul 16, 2013 at 2:45 AM, Albert Kam <mo...@gmail.com>wrote:
> I notice that even as an anonymous user, a shiro session is created (and
> inserted into my db in my case) at my first access to a web page. After a
> successful login, the session record is simply updated with the appropriate
> attributes.
>
> Now i tried 'stress-testing' the main page url with :
>
> curl -s "http://myapp.com?[1-1000]"
>
> And my fear came true as i count the created session is as much as the
> loop.
>
> So the question here is, is there anyway i can avoid having a session
> creation flood by a web crawler or a spammer ?
>
>
> --
> Do not pursue the past. Do not lose yourself in the future.
> The past no longer is. The future has not yet come.
> Looking deeply at life as it is in the very here and now,
> the practitioner dwells in stability and freedom.
> (Thich Nhat Hanh)
>