The behavior of getSession(false) also depends on whether you're calling it from within a standard Servlet or calling it from the Request passed to a Stuts Action. getSession(false) always returns null if a valid session is not associated with the current request (whether or not the client sent a session ID). Now, in a Stuts Action, it will always return a non-null value because apparently Stuts tries to do the developer a favor and creates a new Session if a valid one doesn't already exist. I haven't determined if this behavior can be altered in Stuts.
I haven't looked at the Struts code yet but this was observed on the project I'm working on now. I had to write my own code to make sure that the request had a valid session before taking action. On Sat, 11 Dec 2004 02:34:58 +0800, Joseph Lam <[EMAIL PROTECTED]> wrote: > Steve Kirk wrote: > > > > >>By default: > >>1. getSession(true)!=null > >>2. getSession(false)!=null > >> > >>But if a JSP page contains the tag <%@ page session="false" %>, then: > >>1. getSession(true)!=null > >>2. getSession(false)==null > >> > >> > > > >In the last of these 4 cases, do you mean that the implicit JSP session > >object returns null, or that request.getSession(false) returns null? I > >could understand the first behaviour but would be surprised by the second. > >The problem is that it implies that JSPs execute the code in a way that is > >different than if it were included in a servlet, and given that JSPs are > >servlets, this seems puzzling. Again, perhaps I'm not fully understanding > >either your case, or the details of how sessions work. > > > > > I'll do some testing to confirm whether the implicit session object is > null (which I guess so). I'm sure request.getSession(false) can really > be null coz I'm relying on that in my pages, which all are forced not to > create session by default until I received the login params and > authenticate them, and then manually call HttpSession mySession = > request.getSession(true) to create one. > > >>For my case, sessions will only be created for logged-in > >>users > >> > >> > > > >what is it about your case that makes this happen? I would have thought > >that session creation is independent of whether you are authenticating or > >not. Or is there a way to config TC to not create sessions by default, and > >only create them when the user successfully authenticates? > > > > > Add this and TC won't create session by default: <%@ page > session="false" %> > > > > > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]