"Christopher K. St. John" wrote:
>
> Hans Bergsten wrote:
> >
> > The spec may not be explicit enough about this, but the session object
> > you get back from the getSession() object is a container-managed object
> > that the application is not supposed/allowed to keep long-lived
> > references
> > to. It's the same as with all other container-objects made available to
> > the
> > application; request, response, JSP tag handlers, etc.
> >
>
> I would have agreed with you before I read the
> following in the 2.3PFD spec:
>
> 7.3 Session Scope
>
> HttpSession objects must be scoped at the
> application / servlet context level. The
> underlying mechanism, such as the cookie
> used to establish the session, can be shared
> between contexts, but the object exposed, and
> more importantly the attributes in that object,
> must not be shared between contexts.
>
> By mentioning that the HttpSession object cannot
> be shared outside the ServletContext, it strongly
> implies that it can be shared within the context.
> If that sort of thing isn't allowed, then 7.3 might
> need to be clarified.
This section refers to the fact that a servlet in one context should
not be able to gain access to the same session data as a servlet
in another context (i.e., resources in two different context's can
not "be part" of the same session) for security reasons .
It has nothing to do with whether a servlet in one context is allowed
to hold on to the actual session object or not, which has to do with
how much freedom the spec gives to container vendors in terms of
pooling and life-cycle management for the internal objects.
Hans
--
Hans Bergsten [EMAIL PROTECTED]
Gefion Software http://www.gefionsoftware.com
Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
