[
https://issues.apache.org/jira/browse/SHIRO-340?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13189415#comment-13189415
]
Les Hazlewood commented on SHIRO-340:
-------------------------------------
I've done extensive searching through the code to ensure we don't start
sessions unnecessarily for satisfying Shiro's needs. This work was done when
creating the 'noSessionCreation' filter feature in Shiro 1.2. You can use the
'noSessionCreation' filter if you need to enforce this at the filter chain
level or create and configure a 'DisabledSessionManager' class to disable
sessions entirely.
Until we create a pluggable 'RequestStore' mechanism that would allow
customization of using sessions or using a cookie, there is no way to avoid
this at the moment (aside from using the 'noSessionCreation' filter). Based on
this, I would ask that this issue be renamed to 'Create customizable
RequestStore mechanism to support request storage for redirect' (or something
similar).
> Shiro should avoid creating sessions if one doesn't exist
> ---------------------------------------------------------
>
> Key: SHIRO-340
> URL: https://issues.apache.org/jira/browse/SHIRO-340
> Project: Shiro
> Issue Type: Improvement
> Components: Web
> Affects Versions: 1.1.0, 1.2.0
> Reporter: Kalle Korhonen
>
> WebUtils.saveRequest() forces creating a session even if doesn't exist
> before. This hinders scalability. For savedRequests, it's not clear session
> is needed at all, a cookie might be better option for storing information in
> this case. Similarly, we should go through the rest of the codebase and see
> if sessions are created unnecessarily.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
