Thanks Mark. You are correct that I'm using my own application which looks
like the problem is the NonLoginAuthenticator valve is calling
getInternalSession() (via the AuthenticatorBase class's invoke() method).
Is there a way to bypass this? I'm guessing the ROOT application bypasses
the StandardHostValve? It looks like the code is trying to cache an
authenticated Principal on the request which is something we do not need
for our app since we do our own authentication.

On Mon, Sep 11, 2017 at 8:46 AM, Mark Thomas <> wrote:

> On 10/09/17 01:53, Kwan Lim wrote:
> > Hi,
> >
> > I am trying to make a servlet that doesn't extend the session when
> accessed
> > and it looked like the system property "org.apache.catalina.core.
> > StandardHostValve.ACCESS_SESSION" could do job.
> >
> > To test it out I created a simple project in Netbeans 8.1 with Tomcat
> > 8.5.20 on Windows 10. In the project I have 2 servlets: servletA creates
> a
> > session and outputs some HTML, servletB only outputs HTML and doesn't
> call
> > request.getSession().
> >
> > When I request servletA  a session is created and each time I request it
> > again, the last accessed time is updated.
> > When I request servletB which doesn't call getSession(), the last
> accessed
> > time is updated as well.
> >
> > Note: I'm using the out-of-the box server.xml and other configuration
> files
> > and there are no filters that call getSession().
> >
> > If I'm reading the documentation correctly, when set to true is will
> always
> > update the last accessed time even if getSession() wasn't called. By
> > default ACCESS_SESSION is false because STRICT_SERVLET_COMPLIANCE is not
> > set/false. My question is what is the expected behaviour when it's set to
> > false? I was expecting servletB to not update the last accessed time.
> I think your test case may be the cause of this. I have performed a
> similar test with the Tomcat ROOT web application monitoring session
> last accessed time via the Manager application and I do not see the
> behaviour you see.
> When I call a page that does not call getSession(), the last accessed
> time remains unchanged.
> When I call a page that does call getSession(), the last accessed time
> is updated.
> Various components can trigger a call to getSession(). I suspect that
> something is doing this that you aren't aware of. Personally I'd use
> remote debugging to put a break point on getSession() and find out what
> is triggering that call.
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Reply via email to