Sorry for duplicating this on SO. The solution which works for me is /login = authc /logout = noSessionCreation, logout /** = noSessionCreation, anon
http://stackoverflow.com/questions/17673190/shiro-session-creation-flooding Thank you so much. On Thursday, July 18, 2013, Les Hazlewood wrote: > <%@ page session="false" %> ? > > This is a JSP/Servlet container thing and not Shiro related. > > HTH, > > Les > > On Tue, Jul 16, 2013 at 2:45 AM, Albert Kam > <[email protected]<javascript:_e({}, 'cvml', > '[email protected]');> > > wrote: > >> I notice that even as an anonymous user, a shiro session is created (and >> inserted into my db in my case) at my first access to a web page. After a >> successful login, the session record is simply updated with the appropriate >> attributes. >> >> Now i tried 'stress-testing' the main page url with : >> >> curl -s "http://myapp.com?[1-1000]"; >> >> And my fear came true as i count the created session is as much as the >> loop. >> >> So the question here is, is there anyway i can avoid having a session >> creation flood by a web crawler or a spammer ? >> >> >> -- >> Do not pursue the past. Do not lose yourself in the future. >> The past no longer is. The future has not yet come. >> Looking deeply at life as it is in the very here and now, >> the practitioner dwells in stability and freedom. >> (Thich Nhat Hanh) >> > > -- Do not pursue the past. Do not lose yourself in the future. The past no longer is. The future has not yet come. Looking deeply at life as it is in the very here and now, the practitioner dwells in stability and freedom. (Thich Nhat Hanh)
