How are you performing authentication? Depending on the process you're using, it may be possible to avoid hitting any of those conditions until after it's successful.
P.S. By default, a JSP will create a session if one doesn't already exist (nothing to do with Struts), so any pages that can be hit by unauthenticated users should do: <%@ page session="false" %> Quoting Nicolas De Loof <[EMAIL PROTECTED]>: > I've made a grep on Struts 1.1 sources. I noticed some case where a session > is created that seems to me 'uncontroled' : > > > RequestProcessor uses request.getSession() : > - in processLocale if controller is configured to use Locale (default = > true) > > HTMLTag uses request.getSession() : > - in currentLocale() : if any JSP uses <html:html> a session is created ! > > o.a.s.validator.Ressouces uses request.getSession() : > - in getLocale(request) : If validator is used (for example to validate login > page) a session will allways be created > > > Isn't they're any way NOT to create a session for a user that hasn't been > authentified ? > > Nico. > > > > > > > > > This is exactly what I'm looking for. > > > > For some of the applications I'm working on, my customers are paranoiac > about security. I think that if a > unauthentified > > user is able to create a session on the server, it can expose the server to > DOS attack, because every created session > > will use some memory. > > > > It is realy simple to write a client that sends hundred of request to the > server. If a session is created on each > > request, server will quickly be out of memory (Session object + stored > objects (Locale) size). > > > > If a session is created only for authentified users, server will survive > such (simple) attack. > > > > Perhaps I'm wrong about this, if this scenario is stupid please tell me. > > > > For example, I've seen that RequestUtils.retrieveUserLocale() uses request > scope if no session exists. This way, no > > session is created when displaying a login JSP that uses i18n. > > > > With locale="true" (default) a new session is created when ActionServlet > process a request. We need to set it to false > > to control session creation. I want to know if they're is other Struts > properties to set to avoid creating new session > > for non-authentified user. > > > > > > Nico. > > > > > > > > > Hi Manfred > > > > > > I think Nicolas is trying to find all places where Struts manipulates > the > > > session in some way.. > > > > > > Locale=True does indeed manipulate the session..thus resulting in the > > > session being created, if not already there. > > > > > > When no one (action, object, tag, whatever) has requested attributes to > be > > > stored in the session, no session object will exist..Session info > (cookie, > > > URL rewriting, etc) is only created if there are attributes on the > Session > > > object. Am I correct on this one?? > > > > > > I don't understand WHY Nicolas does not want the session to be > created...Is > > > it because of memory usage...denial of service attacks...? > > > > > > Maybe, I don't understand, Nicolas, too...but it did gave my few > pennies > > > away :-) > > > > > > Regards > > > > > > Henrik > > > > > > ----- Original Message ----- > > > From: "Manfred Wolff" <[EMAIL PROTECTED]> > > > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > > Sent: Thursday, January 08, 2004 3:22 PM > > > Subject: Re: Configuring Struts NOT to create (unauthentified) sessions > > > > > > > > > > Nicolas. > > > > > > > > I perhaps don't understand you. but (!) The locale attribut has > nothing > > > > to do with creating sessions! The locale attribute tells struts to > save > > > > a Locale-Object in the session, if there is nothing stored. > > > > > > > > Manfred > > > > > > > > Nicolas De Loof wrote: > > > > > > > > >Hy all, > > > > > > > > > >I would like Struts NOT to create a session for an unauthentified > user. > > > As far as I understand Struts code, I need to > > > > >set locale="false" in struts-config.xml <controller>. > > > > > > > > > >Is they're any ohter Struts mecanism that can create a session > (excluding > > > action-mapping declared as scope="session") ? > > > > > > > > > >Doesn't the "locale" default value (true) expose lot's of struts > > > application to attack ? (server Out of Memory because > > > > >to much sessions have been created - isn't this what is called "Deny > Of > > > Service" ?) > > > > > > > > > >Nico. > > > > > > > > > > > > > > > >--------------------------------------------------------------------- > > > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > -- > > > > =========================================== > > > > Dipl.-Inf. Manfred Wolff > > > > ------------------------------------------- > > > > phone neusta : +49 421 20696-27 > > > > phone : +49 421 534522 > > > > mobil : +49 178 49 18 434 > > > > eFax : +49 1212 6 626 63 965 33 > > > > ------------------------------------------- -- Kris Schneider <mailto:[EMAIL PROTECTED]> D.O.Tech <http://www.dotech.com/> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
