tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Will Hartung" <wi...@msoft.com>
Subject Re: Tomcat 4.1.18 session objects
Date Wed, 26 Feb 2003 00:30:21 GMT
> From: "Greg Speechley" <greg@learnedsolutions.com>
> Sent: Tuesday, February 25, 2003 4:09 PM
> Subject: RE: Tomcat 4.1.18 session objects


> I realise that sessions are for user tracking, etc but I wanted to know
why
> it was suggested that it was a bad idea to store them in a vector so that
> you would have access to a list of users who are currently logged in (have
> valid sessions). As I understand it Tomcat doesn't give you the ability to
> access such a list so you would have to store it yourself. Why would this
be
> unreliable?

It was probably removed or never added for similar reasons why you can't
access the other servlets within a container. Conceptually, if you could
"sniff" other sessions destined for other users/servlets/webapps, you might
create a monsterous security hole in a shared container.

Since there's no real way (according to spec) to bind sessions to a
particular webapp, sessions end up be global to the container (so you have a
globals session list vs a webapp specific session list). Now, if they WERE
webapp specific sessions, no doubt folks would be screaming about wanting to
make them global, so you really can't win.

As someone else mentioned, you might try caching the sessions into a global
map with a filter if you'd like to track users, but, particularly with
session persistence and reloading, there's no guarantee that a session is
the "same" session as the one you have stored in your list.

Regards,

Will Hartung
(willh@msoft.com)




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message