Do you mean a bug in the docs or the code?
You missed the point. Usage of getSession() forces creation of new session, which means that module *will* create new session, despite the documentation which says otherwise:
<strong>NOTE:</strong> The module does not create a new session
So it is a bug.
Where am I wrong here:
1) the session module calls ObjectModelHelper.getRequest(objectModel).getSession(); 2) this calls o.a.c.environment.http.HttpRequest.getSession() which calls o.a.c.environment.http.HttpRequest.getSession(true) 3) First call there is serverSession = this.req.getSession(create); where this.req is a real javax.servlet.http.HttpServletRequest
Doing some digging in servlet-2_4-fr spec (p243-244)
- public HttpSession getSession(boolean create)
Returns the current HttpSession associated with this request or, [---->if there is no current session *AND* create is true<----], returns a new session.
If create is false and the request has no valid HttpSession, this method
returns null. To make sure the session is properly maintained, you must call this method before the response is committed. If the container is using cookies to maintain session integrity and is asked to create a new session when the response is committed, an IllegalStateException is thrown.
This tells me that if there is an existing session you get the existing one , irrelevant of the boolean flag (in an servlet-spec-adhering container that is ofcourse).
Ofcourse this is all very theoretical but it explains (i hope) my reasoning.
rgds Jorg
