Rémy, On 6/16/16 5:52 AM, Rémy Maucherat wrote: > 2016-06-16 11:25 GMT+02:00 Andy Wilkinson <awilkin...@pivotal.io>: > >> On Thu, Jun 16, 2016 at 10:21 AM, Rémy Maucherat <r...@apache.org> wrote: >> >>> -1, I am against fake improvements. >>> >> >> Do you consider the improvement for applications that do not use HTTP >> sessions at all to also be fake? >> > This does not sound very realistic or common to me.
50% of our applications deployments are cookie-less, and we deploy on separate Tomcats running on separate JVMs. That means that we have 50% of our Tomcat instances that will never create an instance of javax.servlet.http.HttpSession. If SecureRandom is only being used for HttpSession id generation, it's not necessary to do it on startup. > There are different products, with different behaviors, that gives > users a choice. Tomcat's strategy avoids any risk to delay user > requests, so is not effectively worse than the other strategy. I disagree: Tomcat's behavior will cause time-to-first-byte after a restart to be the same as e.g. Untertow for a request-with-a-session, but the time-to-first-byte for Untertow will be significantly less for a request that does not require a session. > You're basically asking for all products to behave the same because > it would be nicer for your own product. That's fine, but choice is > good. No, that's not what he's saying at all. Lazy Random-init sounds like a good idea. It's not clear to me if there are any particular problems with such a strategy given Tomcat's current implementation.
signature.asc
Description: OpenPGP digital signature
