0

I want to create session only when a user is authenticated successfully in my web application. But for some reason struts2 creating session objects even though we just accessing login page.

I went thorough some documentation of struts2 and found using struts.custom.i18n.resources might create sessions. So I removed it from my struts.xml file. But even though session is getting created in my web application.

Any help/thoughts on this is really appreciated.

Updated Question

I had the following lines in my web.xml to work with Cayenne data context.

<filter>
    <filter-name>CayenneFilter</filter-name>
    <filter-class>org.apache.cayenne.conf.WebApplicationContextFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>CayenneFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Is this causing session creation in my web applications?

-Narendra

Narendra
  • 5,635
  • 10
  • 42
  • 54
  • Please reformulate the question which _struts2 creating session objects_, why and when. – Roman C Nov 06 '12 at 15:47
  • http://stackoverflow.com/questions/2255814/can-i-turn-off-the-httpsession-in-web-xml can be helpful – Santosh Gokak Nov 06 '12 at 17:39
  • Application server is responsible for creating and managing sessions not struts 2. There is no point is trying to disable this, see Davids answer. – Quaternion Nov 07 '12 at 02:58

2 Answers2

4

JSP pages create session automatically unless you specifically include a directive telling them not to.

IMO trying to prevent session creation is a waste of time. Instead, put something in the session on a valid login, and invalidate the session on logout. Anything else is too much work.

Dave Newton
  • 158,873
  • 26
  • 254
  • 302
  • I am already using following directive in my jsp page to prevent to session creation. <%@page session="false" %> . – Narendra Nov 07 '12 at 06:09
  • @Narendra Seriously, there's just no reason to go to all the trouble. Why do you care if there's an unused session? – Dave Newton Nov 07 '12 at 12:04
2

Here is an answer from the Cayenne perspective. By default WebApplicationContextFilter lazily creates a session-bound ObjectContext for each request that the filter matches. This creates an HttpSession of course.

So one solution would be to reduce the filter mapping from "/*" to a more specific URL that corresponds to authenticated pages. Then Cayenne filter will not be called for anonymous users.

If this can't be done, create your own version of WebApplicationContextFilter (after all WebApplicationContextFilter is just an example of how Cayenne can be bootstrapped in the app, so check its source, and create something similar for yourself). Your own filter can implement some logic that skips ObjectContext (and session) creation for anonymous.

andrus_a
  • 2,528
  • 1
  • 16
  • 10