-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rémy,
On 2/18/20 04:42, Rémy Maucherat wrote: > On Tue, Feb 18, 2020 at 10:32 AM Mark Thomas <ma...@apache.org > <mailto:ma...@apache.org>> wrote: > > On 18/02/2020 09:06, r...@apache.org <mailto:r...@apache.org> > wrote: >> This is an automated email from the ASF dual-hosted git >> repository. >> >> remm pushed a commit to branch master in repository >> https://gitbox.apache.org/repos/asf/tomcat.git >> >> >> The following commit(s) were added to refs/heads/master by this >> push: new d59db7a Disable session persistence by default d59db7a >> is described below >> >> commit d59db7ae7529fd9f2b067622ae661fd9338b2478 Author: remm >> <r...@apache.org <mailto:r...@apache.org>> AuthorDate: Tue Feb 18 >> 10:05:49 2020 +0100 >> >> Disable session persistence by default >> >> Persistence should be configured explicitly, either with > pathname or >> when using a persistent manager. > > Hmm. I'm not sure about this. > > I have no figures to back this up but I imagine quite a few people > use Tomcat the way I have used it in the past. I have often used > Tomcat to host some simple services that aren't used very often or > where brief downtime is OK (so a quick restart to pick up a change > isn't an issue) but session persistence is useful. > > For sure, persistence across restarts is not the solution for > production systems with high availability requirements. > > I guess I'm wondering what are the benefits for doing this. I can > see some downsides but I'm struggling to see the benefit. > > > It increases shutdown and startup when there are lots of sessions, > and also uses disk space, and production people have been > complaining about that in the past (then they disable the feature > since it's obviously not for them). > > [...] > > As a result, I think it is better to start phasing out this feature > in Tomcat 10. +1 It's easy to re-enable. > You also just said it is mostly useless except it might be part of > the "worst practices" playbook of many people. I wouldn't call it a "worst practice". It's just not scalable, and not appropriate for many environments. If we think that all non-scalable solutions should be removed, then we should remove the DeltaManager, too . > On the user list, there's also a person who wants to add saving the > principal to it, adding more risk (especially in 7.0, 8.5 and 9.0 > where the principal still includes the clear text password). There is a better solution to that: stop storing the principal password. It's pretty much never needed... is it? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5MEBwACgkQHPApP6U8 pFhQSQ/9FYi6zJdEvGvVtAGoO/6/HJJhY17KyVaUEapXHZld0T7op8Ro0UgoM0Mi mOD2VSolPJW1dHCMcB8ESOySh92yn85k6Iz3eK2dGgxHPyFu5gbQg/ko+0dXagS7 2vQ5JPcNW/iRjXUgkZeX48qLWvlGkemZZl/Gd2AUiRJeuCJFn+jALU3YVIHtwYPT oh0k5SA3ef2DPWYTfaw7Xk72XIHGR5vgbJBZmcahbavEY2/5XB1/PPK9+Z2KFDZP fFuVcyP/aeLmbDhTAKbXLCrdYR1FeIL2G8nl6j/+kIX0VStMLsi7YXEDA8YRk4tE pZgRFQEt89ZLBt38jWlezi240QWXcH31NtTTqLIhHlRlN+VKASlUpqG9yzfEkeis MingrbOCGbWD42y5vsX+4vInFP535pJztKeKa3FgK8cXX5x999Sg3mrncvl4P8ge EiSo8zkLmpTlkU+NGz2A0sBlSR5JZQgQClcL+TV5jxStQmkldVSlFKV+Av7QYCK0 UlmKcEHlS4qJMj3gBJu28owbcHI0+HMfdsybsvI8eKChucb8wF0nyYEo7nieGG6A bTpEb8tO4kBXtjqSy60a7ck1asprPA9STnJS4xm3N4krafbfXi89I7G6QZI5jD4f z9e9viOpfarI9OSwBDxe+OSYknKtR6EnfOEE+hAn7cvcXsvvc0I= =3RZd -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
