users@javaee-spec.java.net

[javaee-spec users] Re: clarification: session(-less) applications

From: Bill Shannon <bill.shannon_at_oracle.com>
Date: Wed, 12 Nov 2014 14:27:33 -0800

This sounds like an interesting issue for the Servlet expert group to discuss.
https://java.net/projects/servlet-spec/

Yannick Majoros wrote on 11/04/14 21:59:
> Hi,
>
> That would be very welcome. Do you think there should be other mechanisms to
> make it work in jax-ws / jax-rs? Should sessions be disabled until explicitly
> enabled, or is this dangerous for compatibility?
>
> Thanks,
>
> Yannick
>
> Le 04-11-14 18:05, arjan tijms a écrit :
>> I absolutely agree! As a coincidence I was just discussing the exact
>> same thing here ;)
>>
>> Currently there's not even a way in Servlet to indicate that you don't
>> want any sessions. There are some workarounds like installing a filter
>> that wraps the request and blocking the createSession methods, but A)
>> that's a somewhat non-obvious and hacky way and B) it doesn't even
>> work in all situations (a JASPIC auth module for instance sees the
>> request before a Filter does, so it can create a session before a
>> Filter gets to intercept it).
>>
>> So I would propose to have at the very least a Servlet method to
>> easily disable sessions, but to investigate if it's possible to go one
>> step further and have some kind of platform wide stateless mode. JSF
>> for instance can honour that by activating its stateless mode,
>> authentication modules could perhaps write any state they need to
>> either a cookie or don't use it. Etc.
>>
>> There might be some tuning options necessary, but in generally
>> speaking a platform stateless mode would be great!
>>
>> Kind regards,
>> Arjan
>