This is exactly what I'm looking for. For some of the applications I'm working on, my customers are paranoiac about security. I think that if a unauthentified user is able to create a session on the server, it can expose the server to DOS attack, because every created session will use some memory.
It is realy simple to write a client that sends hundred of request to the server. If a session is created on each request, server will quickly be out of memory (Session object + stored objects (Locale) size). If a session is created only for authentified users, server will survive such (simple) attack. Perhaps I'm wrong about this, if this scenario is stupid please tell me. For example, I've seen that RequestUtils.retrieveUserLocale() uses request scope if no session exists. This way, no session is created when displaying a login JSP that uses i18n. With locale="true" (default) a new session is created when ActionServlet process a request. We need to set it to false to control session creation. I want to know if they're is other Struts properties to set to avoid creating new session for non-authentified user. Nico. > Hi Manfred > > I think Nicolas is trying to find all places where Struts manipulates the > session in some way.. > > Locale=True does indeed manipulate the session..thus resulting in the > session being created, if not already there. > > When no one (action, object, tag, whatever) has requested attributes to be > stored in the session, no session object will exist..Session info (cookie, > URL rewriting, etc) is only created if there are attributes on the Session > object. Am I correct on this one?? > > I don't understand WHY Nicolas does not want the session to be created...Is > it because of memory usage...denial of service attacks...? > > Maybe, I don't understand, Nicolas, too...but it did gave my few pennies > away :-) > > Regards > > Henrik > > ----- Original Message ----- > From: "Manfred Wolff" <[EMAIL PROTECTED]> > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > Sent: Thursday, January 08, 2004 3:22 PM > Subject: Re: Configuring Struts NOT to create (unauthentified) sessions > > > > Nicolas. > > > > I perhaps don't understand you. but (!) The locale attribut has nothing > > to do with creating sessions! The locale attribute tells struts to save > > a Locale-Object in the session, if there is nothing stored. > > > > Manfred > > > > Nicolas De Loof wrote: > > > > >Hy all, > > > > > >I would like Struts NOT to create a session for an unauthentified user. > As far as I understand Struts code, I need to > > >set locale="false" in struts-config.xml <controller>. > > > > > >Is they're any ohter Struts mecanism that can create a session (excluding > action-mapping declared as scope="session") ? > > > > > >Doesn't the "locale" default value (true) expose lot's of struts > application to attack ? (server Out of Memory because > > >to much sessions have been created - isn't this what is called "Deny Of > Service" ?) > > > > > >Nico. > > > > > > > > >--------------------------------------------------------------------- > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > -- > > =========================================== > > Dipl.-Inf. Manfred Wolff > > ------------------------------------------- > > phone neusta : +49 421 20696-27 > > phone : +49 421 534522 > > mobil : +49 178 49 18 434 > > eFax : +49 1212 6 626 63 965 33 > > ------------------------------------------- > > ____________________________________________________ > > Diese E-Mail enth�lt m�glicherweise vertrauliche und/oder rechtlich > gesch�tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder > diese E-Mail irrt�mlich erhalten haben, informieren Sie bitte sofort den > Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die > unbefugte Weitergabe dieser Mail ist nicht gestattet. > > > > This e-mail may contain confidential and/or privileged information. If you > are not the intended recipient (or have received this e-mail in error) > please notify the sender immediately and destroy this e-mail. Any > unauthorised copying, disclosure or distribution of the material in this > e-mail is strictly forbidden. > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
