users@servlet-spec.java.net

[servlet-spec users] Re: session(-less) applications

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Thu, 4 Dec 2014 19:44:21 +0100

HI,

On Thursday, December 4, 2014, Greg Wilkins <gregw_at_intalio.com> wrote:

>
> On 28 November 2014 at 23:19, arjan tijms <arjan.tijms_at_gmail.com
> <javascript:_e(%7B%7D,'cvml','arjan.tijms_at_gmail.com');>> wrote:
>
>> > What if generated HTML contains a href with the session ID encoded in
>> the
>> > URL
>>
>> In sessionless mode (which includes scoping the session to a request)
>> there won't be a session ID encoded to the URL, since pretty much the
>> entire idea is to not have sessions.
>
>
> I have seen many applications that do their own appending of session ID to
> generated URL's, or that include it in a Ajax response. So if a fake
> session is being generated, it will have an ID (else other code might fail)
>

True, but that ID could then be the string "sessionless". As a matter of
fact, JSF (at least Mojarra) uses the same approach for its view state ID.
In stateless mode it doesn't contain an actual ID but the fixed string
"stateless".



> and I do not think we can prevent that session ID leaking back to the
> client in all cases.
>
>
> I think the technique described of using a HttpSessionListener is
> sufficient. Note that such a listener could also just invalidate the
> session and not throw an error. An alternate technique would be to
> register a ServletRequestListener that does an invalidate on
> requestDestroyed.
>

That's a very useful technique as well, thanks for bringing it up.

What other flexibility is needed?
>

Well, the centralised switch for one, that all other specs and third party
libraries could use and provide default behavior for.

Having the ability to globally intercept all cookies would help too in
absence of the proposed global switch. Invalidating the session at the end
of the request could unfortunately still write out a cookie.

(Having a global interceptor/listener for cookies is useful for other
things too, such as eg adding a custom domain to all cookies)

Kind regards,
Arjan


>
>
> --
> Greg Wilkins <gregw_at_intalio.com
> <javascript:_e(%7B%7D,'cvml','gregw_at_intalio.com');>> @ Webtide - *an
> Intalio subsidiary*
> http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that
> scales
> http://www.webtide.com advice and support for jetty and cometd.
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.