> I think it makes sense for some wording to be added to section 13.6 of
> the Servlet spec to:
> - make clearer which authentication mechanisms (FORM) are expected to
> create HTTP sessions (I assume everyone is creating HTTP sessions
> to handle FORM auth)
> - highlight the pros/cons of creating sessions rather than
> authenticating on every request
> - recommend that containers that create sessions purely to cache the
> results of authentication provide a mechanism to disable that
>
> We could go further and add an element to web.xml to control whether or
> not a session may be created purely to cache the result of the
> authentication. No objections to that either.
I don't really see what this would achieve, IMHO this situation is
basically user error.
If you are using an authentication mechanism that requires a session
then forcibly disabling the creation of sessions will just result in
authentication being broken.
If a user really does not want a session to be created it is up to
them to pick an authentication mechanism that does not require one (and
if the container they are using creates a session when it is not really
required then I think this is just a container bug/feature and should be
treated as such).
Stuart
>
> Mark
>
>