tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Preventing tomcat from creating sessions
Date Wed, 14 May 2008 17:34:20 GMT
Hash: SHA1


Youssef Mohammed wrote:
| I am writing a set of RESTful services. client do not send cookies and we
| don't want to user URL rewriting for most
| of the services (they are just stateless).
| The issue is when the client calls
http://localhost/services/resource say
| n times, the application server/servlet container creates n sessions !
| How do i prevent that from happening ?

AFAIK, Tomcat does not create a session unless the code you are running
requests a session to be created. Are you using JSPs? Do they have
session="false" set in them? What about other code that might be calling
request.getSession(true) or request.getSession()?

You should be able to find the cause of the sessions being created AND
prevent them from actually being created by using a filter like this:

public void doFilter(ServletRequest request,
~                     ServletResponse response,
~                     FilterChain chain)
~  if(request instanceof HttpServletRequest)
~    request = new SessionKillingRequest((HttpServletRequest)request);

~  chain.doFilter(request, response);

public class SessionKillingRequest
~   extends HttpServletRequestWrapper
~  public SessionKillingRequest(HttpServletRequest request)
~  {
~    super(request);
~  }

~  public HttpSession getSession(boolean create)
~  {
~    if(create)
~    {
~      new Throwable("Attempted session creation").printStackTrace();
~    }
~    return null;
~  }

This will print a stack trace indicating where your code is requesting a
session, and it should prevent the creation of those sessions.

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message