On 18/02/2020 09:42, Rémy Maucherat wrote: > On Tue, Feb 18, 2020 at 10:32 AM Mark Thomas <ma...@apache.org > <mailto:ma...@apache.org>> wrote: > > On 18/02/2020 09:06, r...@apache.org <mailto:r...@apache.org> wrote: > > This is an automated email from the ASF dual-hosted git repository. > > > > remm pushed a commit to branch master > > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > > > > The following commit(s) were added to refs/heads/master by this push: > > new d59db7a Disable session persistence by default > > d59db7a is described below > > > > commit d59db7ae7529fd9f2b067622ae661fd9338b2478 > > Author: remm <r...@apache.org <mailto:r...@apache.org>> > > AuthorDate: Tue Feb 18 10:05:49 2020 +0100 > > > > Disable session persistence by default > > > > Persistence should be configured explicitly, either with > pathname or > > when using a persistent manager. > > Hmm. I'm not sure about this. > > I have no figures to back this up but I imagine quite a few people use > Tomcat the way I have used it in the past. I have often used Tomcat to > host some simple services that aren't used very often or where brief > downtime is OK (so a quick restart to pick up a change isn't an issue) > but session persistence is useful. > > For sure, persistence across restarts is not the solution for production > systems with high availability requirements. > > I guess I'm wondering what are the benefits for doing this. I can see > some downsides but I'm struggling to see the benefit. > > > It increases shutdown and startup when there are lots of sessions, and > also uses disk space, and production people have been complaining about > that in the past (then they disable the feature since it's obviously not > for them). You also just said it is mostly useless except it might be > part of the "worst practices" playbook of many people.
Fair enough. I'm convinced. > On the user list, there's also a person who wants to add saving the > principal to it, adding more risk (especially in 7.0, 8.5 and 9.0 where > the principal still includes the clear text password). I'm just reviewing that proposal now. > As a result, I think it is better to start phasing out this feature in > Tomcat 10. The user can then either: > - configure it back using pathname (it's very easy to do it in > context.xml - the default context.xml actually includes a commented out > Manager element to disable persistence, it would switch to enabling it) That would work for me. Thanks for the explanation. Mark > - use a persistent manager > - use the delta manager > > Rémy > > > > Mark > > > > --- > > TOMCAT-NEXT.txt | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/TOMCAT-NEXT.txt b/TOMCAT-NEXT.txt > > index 3be3e12..a510693 100644 > > --- a/TOMCAT-NEXT.txt > > +++ b/TOMCAT-NEXT.txt > > @@ -47,6 +47,7 @@ New items for 10.0.0.x onwards: > > > > 7. Refactor DefaultServlet to use Ranges in parseRanges(). > > > > + 8. Disable session persistence: StandardManager.pathname > defaults to null. > > > > Deferred until 10.0.x: > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > <mailto:dev-unsubscr...@tomcat.apache.org> > > For additional commands, e-mail: dev-h...@tomcat.apache.org > <mailto:dev-h...@tomcat.apache.org> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > <mailto:dev-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: dev-h...@tomcat.apache.org > <mailto:dev-h...@tomcat.apache.org> > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
