users@servlet-spec.java.net

[servlet-spec users] Re: session(-less) applications

From: Mark Struberg <struberg_at_yahoo.de>
Date: Fri, 28 Nov 2014 11:03:08 +0000 (UTC)

whoops accidentally pressed send too early.

> For me it boils down to what Mark Thomas and a few others already said:
basically it's either a user error to use this auth mechanism, or a bug in the auth mechanism to require the session. But it's nothing the spec shoul do against it. The servlet spec is already large enough. We should not try to bloat it even further by adding redundant word of caution.

LieGrue,
strub





> On Friday, 28 November 2014, 12:00, Mark Struberg <struberg_at_yahoo.de> wrote:
> > Having a temp session just for a single request cries for getting misused I fear
> :/
> What if you have another app which requires a real session?
>
>
> For me it boils down to what Mark Thomas and a few others already said:
>
>
>
>
>
>> On Thursday, 27 November 2014, 4:33, Stuart Douglas
> <sdouglas_at_redhat.com> wrote:
>> >
>>
>> ----- Original Message -----
>>> From: "Greg Wilkins" <gregw_at_intalio.com>
>>> To: "users" <users_at_servlet-spec.java.net>
>>> Sent: Thursday, 27 November, 2014 2:05:26 PM
>>> Subject: [servlet-spec users] Re: session(-less) applications
>>>
>>> On 27 November 2014 at 10:02, arjan tijms
> <arjan.tijms_at_gmail.com>
>> wrote:
>>>
>>> > A central switch that switches off sessions would also be really
>>> > convenient for various others specs
>>> >
>>>
>>> But sessions are off by default.
>>>
>>> You only get a session if you ask for one or use an authentication
>>> mechanism that asks for one on your behalf.
>>>
>>> If we add a mechanism to turn off sessions and then all the
> apps/frameworks
>>> that are currently doing getSession(true) on behalf of the user (and
> thus
>>> making the user try a hack to get rid of the session), will just throw
> a
>>> NPE or ISE instead.
>>
>> Well one of the proposed options was for it to just return a session that
>> lasts for a single request.
>>
>> I'm still not sure what the actual use case for this is, I assume it is
> an
>> app with some 3rd party code calls getSession(true)? If this is the case I
>> don't really like the idea of adding session less applications to the
> spec
>> just to work around it.
>>
>> Stuart
>>
>>
>>>
>>> cheers
>>>
>>>
>>>
>>> --
>>> Greg Wilkins <gregw_at_intalio.com> @ Webtide - *an Intalio
>> subsidiary*
>>> http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that
>> scales
>>> http://www.webtide.com advice and support for jetty and cometd.
>>>
>>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.