A JSP File Always Creates a Session
Maybe I am just stupid, but in my latest escapades into cookies and sessions, I noticed that a session always gets created up front in JSP pages. If you have a simple index.jsp page like this one:
<%@ page contentType="text/html;charset=UTF-8" language="java" %> <html> <head><title>index</title></head> <body>the index</body> </html>
The container will set a session cookie as one of the very first things. Even when you do not use it in the page or application elsewhere. At least, this is how Jasper does, when it generates servlets out of the jsp source. And jasper is a kind of reference implementation, is it not?
In the generatePreamble() method of the Generator class in the Jasper compiler, the code below is always produced, to setup a PageContext in the servlet produced:
out.printil("pageContext = _jspxFactory.getPageContext(this, request, response,");
out.printin("\t\t\t");
out.print(quote(pageInfo.getErrorPage()));
out.print(", " + pageInfo.isSession());
out.print(", " + pageInfo.getBuffer());
out.print(", " + pageInfo.isAutoFlush());
out.println(");");
The above compiler code will output this target servlet code:
pageContext = _jspxFactory.getPageContext(this, request, response, null, true, 8192, true);
If you look at the fifth parameter, which is “true” here, this is the “requiresSession” parameter of PageContext. This “true” value boild down all the way to eventully end up in a session instance create. The value, that the jasper compiler use for that parameter, is the value of the “session” property on the @page directive in the JSP. Hence, you can change your index.jsp to read:
<%@ page contentType="text/html;charset=UTF-8" language="java" session="false" %> <html> <head><title>index</title></head> <body>the index</body> </html>
Notice the session=”false” part. But, this will make it a JSP compile error, to try and use the session.
I took a look at the configuration options on the jasper compiler servlet, but none of them can be used for not producing a session up front. I also browsed the source code of tomcat a bit, to see if it contained something undocumented.
I often hear talk about a share-nothing stateless architecture on the server-side, to make it possible to scale a web application by putting it behind a load-balancer and simply add extra nodes when load rises. Actually, I like and advocate that approach myself. But to do this, you shall have no, or very little, session data stored on webserver instances.
Another thing is Java webframeworks, which often goes to lengths to avoid session creation, until the application itself actually requests it specificly itself. I know Tapestry has done something to support this.
Is it not strange then, that a simple JSP, can force session creation up-front? How many web sites have an index.jsp page, as the welcome page? How many login pages are simple jsp pages? How many web developers think about, that this will create a session on the server? An open, accessible by all, index.jsp, will be visited by crawlers. These will create sessions too.
This is worth creating an issue for the Jasper team.
July 22nd, 2008 at 10:18I wanted to disable the session for my index.jsp/login.jsp pages and got to the same conclusion so far.
Despite I’m adding a @page session=”false” directive in the JSPs, Tomcat is still reporting it has an active session (seeing it throw the Tomcat Manager).
Regarding to the compile error, I found that as a workaround you could check the value of
July 22nd, 2008 at 20:31pageContext.getSession()which will return the session if it exists, or null if it doesn’t.Hmm, coming to think about it, I do not think so
I guess the implementation of Jasper, which simply creates a session up front when @page session=”true” (or the default) is present, looks like a (good) trade-off in the compiler implementation (to me).
Let’s think about what it would take, to create the session on demand… Given the JSP code below:
<% if (something) {
session.setAttribute(...); // use session here
} else {
// code that does NOT use session here
}
%>
To have Jasper create a servlet, that only obtains a session, when (if) the code, in execution, actually reaches the block of code which use the session, Jasper would have to be a full blown Java compiler. It would have to parse scriptlet syntax, and determine type of session variable access, and ADD EXTRA CODE THERE, which obtained the session.
Would it not?
I think, with the knowledge on how Jasper forces early session creation, I can work-around it. I would simply extract the block of code, that use the session, into another JSP, and then have the main jsp file have session=”false”. I would then dynamically include the other JSP, which uses a session.
July 23rd, 2008 at 08:38I found why I was getting a session created despite the @page directive. I had a filter running that was doing this:
July 23rd, 2008 at 22:25HttpSession session = ((HttpServletRequest) request).getSession();
The getSession() method will create a session if there’s not one already there.
I am a newbie to web development, so what are the reasons you wouldn’t want to use a session to store info, besides not having any info to store?
July 28th, 2008 at 18:12Not having anything to store would be the main point here. As in, when the jsps are simple, open, accessible by all, pages, we should make sure, that no session is automatically created, if not needed.
Now, there are perfectly good reasons to keep session on the server. There are also reasons not to. But this would be another post. When I mention a “..share-nothing stateless architecture on the server-side..”, it is a solution to scaling bigtime, for large, heavy load sites. You could keep session state at the client then, or keep it in the database.
July 28th, 2008 at 19:22for creating session,
String uname = “admin”;
session.setAttribute(”username”,uname);
for retreiving the value from session.
String uname = (String)session.getAttribute(”username”);
August 4th, 2008 at 11:44