Thanks for the report: https://issues.apache.org/jira/browse/TOMEE-1028
*Romain Manni-Bucau* *Twitter: @rmannibucau <https://twitter.com/rmannibucau>* *Blog: **http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau* *Github: https://github.com/rmannibucau* 2013/9/11 Ronny Karallus <[email protected]> > Diging for another problem in the source code I found the following piece > of code that is called on > org.apache.openejb.server.httpd.HttpResponseImpl.writeMessage(...) - so > pretty much on any response for the OpenEJBHttpServer: > > /** closes the message sent to the browser > */ > private void closeMessage() { > setContentLengthHeader(); > setCookieHeader(); > } > > private void setCookieHeader() { > if (request == null || request.getSession() == null) return; > > HttpSession session = request.getSession(false); > > if (session == null) return; > > <= the session will never be null here because you are calling > request.getSession(true) implicitly in line 1 of setCookieHeader() which > will create a session if there is none. This will in the end mean that > every request hitting the appserver will create a session even if it doesnt > require one ... > > I am wondering if this is really on purpose or if this is a bug that needs > to be posted ... I found this in trunk and in version 1.5.2 > > Thanks >
