6

In JSF, it seems that sessions are created before a successful login. i.e. simply requesting the login page causes a new session to be created.

It seems very wasteful (and vulnerable to DDoS attacks) to create a session for each request received, rather than each successfully logged in user.

The code below is pretty generic, but shows the kind of simple scenario I'm referring to.

index.xhtml:

<html>
    <body>
        <h:form id="login">
            <h:outputLabel for="username">Username</h:outputLabel>
            <p:inputText id="username" name="username" value="#{userController.username}"/>
            <h:outputLabel for="password">Password</h:outputLabel>
            <p:password id="password" name="password" value="#{userController.password}"/>

            <p:commandButton id="loginButton" value="login" action="#{loginController.login}"/>
        </h:form>
    </body>
</html>

LoginController.java

@ViewScoped
public class LoginController implements Serializable {

    String username;
    String password;

    public void login(){
        HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
        if (request.getSession(false) == null){
            System.out.println("No session.");
        } else {
            System.out.println("Session already exists.");
        }

        try {
            request.login(username, password);
        } catch (ServletException e) {
            FacesContext.getCurrentInstance.addMessage(null, new FacesMessage("Login failure", e.getMessage()));
        }
    }

    // username and password getters/setters

}

Edit: shambolic code example fixed

mmldrm
  • 133
  • 1
  • 8

1 Answers1

8

First of all, your testing methodology is completely wrong.

if (request.getSession() == null){
    System.out.println("No session.");
} else {
    System.out.println("Session already exists.");
}

Please carefully read the javadoc of the argumentless getSession() method. You'll realize that it never returns null.

Coming back to the concrete problem, by default JSF will indeed autocreate the session because the JSF view state has to be stored over there. If you set the JSF state saving method to client instead of server, then it won't be stored in session and hence no session needs to be created.

<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>client</param-value>
</context-param>

In the upcoming JSF 2.2 you could alternatively also put the bean in the request scope and use <f:view transient="true"> to go completely stateless. This is for the current JSF 2.1 version only available since Mojarra 2.1.19. See also e.g. this blog from one of Mojarra developers.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Confession - the sample code was heavily adapted from our production code. I was originally using getSession(false). But that aside, thank you for confirming what I thought. Despite much hunting around (books, blogs, Oracle docs) I hadn't found explicit confirmation that JSF autocreates the session. – mmldrm Feb 12 '13 at 14:20
  • As an aside, does this indeed make it easier to take down a server by flooding it with new login requests (despite having no login credentials available)? – mmldrm Feb 12 '13 at 14:25
  • Depends on server hardware and configuration. E.g. connection/request pooling, session timeout, available memory, network bandwidth, etc. Measuring is knowing. – BalusC Feb 12 '13 at 14:27