On 10/09/17 01:53, Kwan Lim wrote:
> Hi,
> I am trying to make a servlet that doesn't extend the session when accessed
> and it looked like the system property "org.apache.catalina.core.
> StandardHostValve.ACCESS_SESSION" could do job.
> To test it out I created a simple project in Netbeans 8.1 with Tomcat
> 8.5.20 on Windows 10. In the project I have 2 servlets: servletA creates a
> session and outputs some HTML, servletB only outputs HTML and doesn't call
> request.getSession().
> When I request servletA  a session is created and each time I request it
> again, the last accessed time is updated.
> When I request servletB which doesn't call getSession(), the last accessed
> time is updated as well.
> Note: I'm using the out-of-the box server.xml and other configuration files
> and there are no filters that call getSession().
> If I'm reading the documentation correctly, when set to true is will always
> update the last accessed time even if getSession() wasn't called. By
> default ACCESS_SESSION is false because STRICT_SERVLET_COMPLIANCE is not
> set/false. My question is what is the expected behaviour when it's set to
> false? I was expecting servletB to not update the last accessed time.

I think your test case may be the cause of this. I have performed a
similar test with the Tomcat ROOT web application monitoring session
last accessed time via the Manager application and I do not see the
behaviour you see.

When I call a page that does not call getSession(), the last accessed
time remains unchanged.

When I call a page that does call getSession(), the last accessed time
is updated.

Various components can trigger a call to getSession(). I suspect that
something is doing this that you aren't aware of. Personally I'd use
remote debugging to put a break point on getSession() and find out what
is triggering that call.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to