Geek Answers Handbook

When is a session created during JSF login?

In JSF, it seems that sessions are created before a successful login. those. just request a login page, a new session is created.

It seems very wasteful (and vulnerable to DDoS attacks) to create a session for each request received, and not for each successfully registered user.

The code below is pretty general, but shows the appearance of a simple script I'm talking about.

index.xhtml:

<html> <body> <h:form id="login"> <h:outputLabel for="username">Username</h:outputLabel> <p:inputText id="username" name="username" value="#{userController.username}"/> <h:outputLabel for="password">Password</h:outputLabel> <p:password id="password" name="password" value="#{userController.password}"/> <p:commandButton id="loginButton" value="login" action="#{loginController.login}"/> </h:form> </body> </html>

LoginController.java

 @ViewScoped public class LoginController implements Serializable { String username; String password; public void login(){ HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest(); if (request.getSession(false) == null){ System.out.println("No session."); } else { System.out.println("Session already exists."); } try { request.login(username, password); } catch (ServletException e) { FacesContext.getCurrentInstance.addMessage(null, new FacesMessage("Login failure", e.getMessage())); } } // username and password getters/setters }

Edit: fixed example shambolic code

+6
source share
1 answer

First of all, your testing methodology is completely incorrect.

 if (request.getSession() == null){ System.out.println("No session."); } else { System.out.println("Session already exists."); }

Please read the javadoc method carefully with no getSession() arguments. You will realize that it never returns null .

Coming back to a specific problem, by default, JSF will actually auto-create a session because the state of the JSF view should be stored there. If you set the JSF state preservation parameter to client instead of server , then it will not be saved in the session and, therefore, the session should not be created.

 <context-param> <param-name>javax.faces.STATE_SAVING_METHOD</param-name> <param-value>client</param-value> </context-param>

In the upcoming JSF 2.2, you can also put a bean in the request area and use <f:view transient="true"> to go completely stateless. This is for the current version of JSF 2.1, available only with Mojarra 2.1.19. See Also, for example. this blog is from one of the Mojarra developers.

+8
source

More articles:


All Articles