|
»
»
»
Preventing tomcat from creating sessions
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
Preventing tomcat from creating sessions
by Youssef Mohammed
::
Rate this Message:
Hi;
I am writing a set of RESTful services. client do not send cookies and we don't want to user URL rewriting for most of the services (they are just stateless). The issue is when the client calls http://localhost/services/resource say n times, the application server/servlet container creates n sessions ! How do i prevent that from happening ? -- Regards, Youssef |
|
|
Re: Preventing tomcat from creating sessions
by Christopher Schultz-2
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Youssef, Youssef Mohammed wrote: | I am writing a set of RESTful services. client do not send cookies and we | don't want to user URL rewriting for most | of the services (they are just stateless). | The issue is when the client calls http://localhost/services/resource say | n times, the application server/servlet container creates n sessions ! | How do i prevent that from happening ? AFAIK, Tomcat does not create a session unless the code you are running requests a session to be created. Are you using JSPs? Do they have session="false" set in them? What about other code that might be calling request.getSession(true) or request.getSession()? You should be able to find the cause of the sessions being created AND prevent them from actually being created by using a filter like this: public void doFilter(ServletRequest request, ~ ServletResponse response, ~ FilterChain chain) { ~ if(request instanceof HttpServletRequest) ~ request = new SessionKillingRequest((HttpServletRequest)request); ~ chain.doFilter(request, response); } public class SessionKillingRequest ~ extends HttpServletRequestWrapper { ~ public SessionKillingRequest(HttpServletRequest request) ~ { ~ super(request); ~ } ~ public HttpSession getSession(boolean create) ~ { ~ if(create) ~ { ~ new Throwable("Attempted session creation").printStackTrace(); ~ } ~ return null; ~ } } This will print a stack trace indicating where your code is requesting a session, and it should prevent the creation of those sessions. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgrIpwACgkQ9CaO5/Lv0PDTowCgoHCYiOjNxjivyK74ODBjqCL7 7mQAnjd2L55aYlRhT+dFnEXyTZWVn2Pw =5dsM -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Preventing tomcat from creating sessions
by Leon Rosenberg-3
::
Rate this Message:
On Wed, May 14, 2008 at 7:34 PM, Christopher Schultz
<chris@...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > public class SessionKillingRequest > ~ extends HttpServletRequestWrapper > { > ~ public SessionKillingRequest(HttpServletRequest request) > ~ { > ~ super(request); > ~ } > > ~ public HttpSession getSession(boolean create) > ~ { > ~ if(create) > ~ { > ~ new Throwable("Attempted session creation").printStackTrace(); > ~ } > ~ return null; > ~ } > } > the getSession() call without parameters also creates a new session. regards Leon --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Preventing tomcat from creating sessions
by Christopher Schultz-2
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Leon, Leon Rosenberg wrote: | On Wed, May 14, 2008 at 7:34 PM, Christopher Schultz | <chris@...> wrote: |> -----BEGIN PGP SIGNED MESSAGE----- |> Hash: SHA1 |> |> |> public class SessionKillingRequest |> ~ extends HttpServletRequestWrapper |> { |> ~ public SessionKillingRequest(HttpServletRequest request) |> ~ { |> ~ super(request); |> ~ } |> |> ~ public HttpSession getSession(boolean create) |> ~ { |> ~ if(create) |> ~ { |> ~ new Throwable("Attempted session creation").printStackTrace(); |> ~ } |> ~ return null; |> ~ } |> } |> | | the getSession() call without parameters also creates a new session. I assumed that getSession() simply called getSession(true). Is that not the case? Oh, well. It's easy to implement that, too: public HttpSession getSession() { return getSession(true); } - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgsWdgACgkQ9CaO5/Lv0PC81gCeLeHT5jMJb7UtqkkkKw5wF29u XgUAniTukyTyJvsVewVbB5vJOWox0zJc =YmSa -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Preventing tomcat from creating sessions
by Leon Rosenberg-3
::
Rate this Message:
well, in current tomcat impl ( trunk) it does, but since its an
implementation detail which isn't guaranteed by the api contract of HttpServletRequest, you probably should capture it explicitely. regards Leon On Thu, May 15, 2008 at 5:42 PM, Christopher Schultz <chris@...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Leon, > > Leon Rosenberg wrote: > | On Wed, May 14, 2008 at 7:34 PM, Christopher Schultz > | <chris@...> wrote: > |> -----BEGIN PGP SIGNED MESSAGE----- > |> Hash: SHA1 > |> > |> > |> public class SessionKillingRequest > |> ~ extends HttpServletRequestWrapper > |> { > |> ~ public SessionKillingRequest(HttpServletRequest request) > |> ~ { > |> ~ super(request); > |> ~ } > |> > |> ~ public HttpSession getSession(boolean create) > |> ~ { > |> ~ if(create) > |> ~ { > |> ~ new Throwable("Attempted session creation").printStackTrace(); > |> ~ } > |> ~ return null; > |> ~ } > |> } > |> > | > | the getSession() call without parameters also creates a new session. > > I assumed that getSession() simply called getSession(true). Is that not > the case? Oh, well. It's easy to implement that, too: > > public HttpSession getSession() { return getSession(true); } > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkgsWdgACgkQ9CaO5/Lv0PC81gCeLeHT5jMJb7UtqkkkKw5wF29u > XgUAniTukyTyJvsVewVbB5vJOWox0zJc > =YmSa > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@... > To unsubscribe, e-mail: users-unsubscribe@... > For additional commands, e-mail: users-help@... > > --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Preventing tomcat from creating sessions
by Christopher Schultz-2
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Leon, Leon Rosenberg wrote: | well, in current tomcat impl ( trunk) it does, but since its an | implementation detail which isn't guaranteed by the API contract of | HttpServletRequest, you probably should capture it explicitly. Excellent point. Thanks for the correction. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgsXogACgkQ9CaO5/Lv0PCF4QCgi/ocUZIWhdESfYt8idKm9Ron +VgAoJ4hY3/9MsuYNj8R01p3iTCcKKkh =WM3T -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
| Free Forum Powered by Nabble | Forum Help |