On Tue, Feb 18, 2020 at 10:32 AM Mark Thomas <ma...@apache.org> wrote:
> On 18/02/2020 09:06, r...@apache.org wrote: > > This is an automated email from the ASF dual-hosted git repository. > > > > remm pushed a commit to branch master > > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > > > > The following commit(s) were added to refs/heads/master by this push: > > new d59db7a Disable session persistence by default > > d59db7a is described below > > > > commit d59db7ae7529fd9f2b067622ae661fd9338b2478 > > Author: remm <r...@apache.org> > > AuthorDate: Tue Feb 18 10:05:49 2020 +0100 > > > > Disable session persistence by default > > > > Persistence should be configured explicitly, either with pathname or > > when using a persistent manager. > > Hmm. I'm not sure about this. > > I have no figures to back this up but I imagine quite a few people use > Tomcat the way I have used it in the past. I have often used Tomcat to > host some simple services that aren't used very often or where brief > downtime is OK (so a quick restart to pick up a change isn't an issue) > but session persistence is useful. > > For sure, persistence across restarts is not the solution for production > systems with high availability requirements. > > I guess I'm wondering what are the benefits for doing this. I can see > some downsides but I'm struggling to see the benefit. > It increases shutdown and startup when there are lots of sessions, and also uses disk space, and production people have been complaining about that in the past (then they disable the feature since it's obviously not for them). You also just said it is mostly useless except it might be part of the "worst practices" playbook of many people. On the user list, there's also a person who wants to add saving the principal to it, adding more risk (especially in 7.0, 8.5 and 9.0 where the principal still includes the clear text password). As a result, I think it is better to start phasing out this feature in Tomcat 10. The user can then either: - configure it back using pathname (it's very easy to do it in context.xml - the default context.xml actually includes a commented out Manager element to disable persistence, it would switch to enabling it) - use a persistent manager - use the delta manager Rémy > > Mark > > > > --- > > TOMCAT-NEXT.txt | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/TOMCAT-NEXT.txt b/TOMCAT-NEXT.txt > > index 3be3e12..a510693 100644 > > --- a/TOMCAT-NEXT.txt > > +++ b/TOMCAT-NEXT.txt > > @@ -47,6 +47,7 @@ New items for 10.0.0.x onwards: > > > > 7. Refactor DefaultServlet to use Ranges in parseRanges(). > > > > + 8. Disable session persistence: StandardManager.pathname defaults to > null. > > > > Deferred until 10.0.x: > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
