Jean-Michel Leon wrote:
> Hi,
>
> from the spec (1.0, p50), the session object seems to be created
> regardless of whether the app needs session support or not. It also
> seems to be the case with the default implementation (1.0-ea) (I traced
> this behavior through Apache/Jserv, and getSession() is called for any
> JSP page).
>
Sessions are optional -- see the "page" directive, which supports an attribute
to say that sessions are not needed:
<%@ page language="java" session="false" ... %>
Don't know if the reference implementation obeys this (it has a bug on
"import", which has to be spelled "imports" right now), but the spec makes it
quite clear that sessions are optional -- even on your page 50 reference, where
it describes the session variable like this (capitals are my emphasis):
The session object created for
the requesting client (IF ANY)
>
> This is an extremely annoying behavior, because it forbids the use of
> JSP for stateless apps: If I don't need session support, my customers
> should not have to accept cookies just because of implementation reasons
> in JSP.
>
Hardly. It does not even forbid using sessions with cookies turned off, as
long as you use the URL encoding rules outlined in the servlet spec. In a
stateless app (where you haven't yet made the change described above), even if
you send the cookies, the client will just ignore them.
>
> If I'm correct regarding this default behavior, I think this is a major
> flaw in JSP. I really really hope I am missing something, and that this
> behavior can be disabled. any idea ?
>
You are correct that the default assumption is that you need session support
(see page 42). I think this is the right default, for two reasons:
* IMHO most apps will want session support anyway,
so there's something of a "majority rules" feel.
* The consequences of forgetting to change the default
are much more severe -- if the default were "false", and
you forget to say session=true on even one of your JSP
pages in an app, you will be faced with mystifying losses
of session information that are really hard to track down.
The cost of creating sessions you don't need in a stateless
environment (where you forget to say session=false) is
much less painful. If the browser has cookies disabled,
it's going to ignore the cookies anyway.
This is also the page to look at for how to disable the default behavior.
>
> jm.
>
Craig McClanahan
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
