From: Vadim Gritsenko > Jorg Heymans wrote: > > >> You missed the point. Usage of getSession() forces creation of new > >> session, which means that module *will* create new > session, despite > >> the documentation which says otherwise: > >> > >> <strong>NOTE:</strong> The module does not create a new session > >> > >> > >> So it is a bug. > >> > > Do you mean a bug in the docs or the code? > > > I tend to think that this is the bug in the code. I think > module should > not create a session, and if you want to create a session you > should do > it somewhere else (there is an action for this purpose). Querying a > session is not a request to create a session. > > > > Where am I wrong here: > > > > 1) the session module calls > > ObjectModelHelper.getRequest(objectModel).getSession(); > > > True. But this is not correct behavior. > > > > 2) this calls o.a.c.environment.http.HttpRequest.getSession() > > which calls o.a.c.environment.http.HttpRequest.getSession(true) > > > True. > > > > 3) First call there is > > serverSession = this.req.getSession(create); > > where this.req is a real javax.servlet.http.HttpServletRequest > > > True. > > > > Doing some digging in servlet-2_4-fr spec (p243-244) > > > > - public HttpSession getSession(boolean create) > > Returns the current HttpSession associated with this request or, > > [---->if there is no current session *AND* create is true<----], > > returns a new session. > > If create is false and the request has no valid > HttpSession, this method > > returns null. To make sure the session is properly maintained, you > > must call this method before the response is committed. If the > > container is using cookies to maintain session integrity > and is asked > > to create a new session when the response is committed, an > > IllegalStateException is thrown. > > > That's also correct. > > > > This tells me that if there is an existing session you get the > > existing one , irrelevant of the boolean flag (in an > > servlet-spec-adhering container that is ofcourse). > > Ofcourse this is all very theoretical but it explains (i hope) my > > reasoning. > > > Problem is the situation when there is no session yet. > > Session should not be created by the module, if it does not > exist. And > this means that module should use getSession(false) - if you > to follow > its documentation.
After following this thread I think the use of getSession(false) is the right behaviour because as Michael explained the implicit session creation within a module can be very confusing and IMHO the wrong place. So +1 changing the method. -- Reinhard
