3 Replies Latest reply on Apr 14, 2009 8:51 PM by Waacow S

    Really stateless pages - No HTTP Session creation

    Muris Ahmovic Newbie

      Hello Seam Community!


      I'm experimanting with Seam and I'm wondering if it is possible to create a page which don't creates a HTTP Session at all.


      Imagine a Page where you have a form, including an inputText and a actionButton.
      After pressing the actionButton a stateless action is performed (for example via a JavaBean/EJB).


      I don't need a session.


      Now, if I perform an initial request to the page, it is displayed without executing any logic.
      My issue is that an http session is created and when pressing the actionButton a session-timout can occure and the View can't be restored.
      As well there is the resource waste with creating the session at all.


      As a real world example you can imagine a login page which is reachable from outside (public).


      You don't want a http session to be created... only after the login button has been pressed and the auth/authz has been successfull, otherwise you are letting a stranger creating a server side state object (session), which can lead to abuses.


      Still I'm not sure if this belongs directly to Seam, because afaik the servlet container just notifies Seam when a session is opened / closed.


      Regards!

        • 1. Re: Really stateless pages - No HTTP Session creation
          Ben Catherall Newbie

          Still I'm not sure if this belongs directly to Seam, because afaik the servlet container just notifies Seam when a session is opened / closed.


          You are quite right.  And first place the session is accessed is Seam's IdentityRequestWrapper.


             public IdentityRequestWrapper(HttpServletRequest request) {
                super(request);
                identity = (Identity) request.getSession().
                   getAttribute(Seam.getComponentName(Identity.class));
             }



          This can either be disabled in components.xml


          <web:identity-filter disabled="true" />



          Or you could patch it so it does request.getSession(false)


          I've not really used this to solve the ViewExpiredException issues, more to create stateless resources.  You may find with no session (no session = expired session?) you still get a ViewExpiredException.



          • 2. Re: Really stateless pages - No HTTP Session creation
            Muris Ahmovic Newbie

            Hi Ben,


            Thank you for the response!


            I need to check the correspondig class.
            Patching it won't solve all the issues I guess, because when I would change getSession not to create a session if it don't exists I can't realize having an entry or home page (no session) together with other pages where I need the session.


            Still, thank you for the hint and I will have a look at it.



            I've not really used this to solve the ViewExpiredException issues, more to create stateless resources.  You may find with no session (no session = expired session?) you still get a ViewExpiredException.


            The ViewExpiredException was the effect, but I thought that the creation of the session is the cause.
            no session = expired session would mean that it is NOT possible to achieve what I'm trying to do.


            Regards!

            • 3. Re: Really stateless pages - No HTTP Session creation
              Waacow S Newbie

              We are having this exact same issue - still haven't found a seam solution.
              We are planning to use a workaround by using a JSP page for the page doesn't require a http session. Hopefully JSP and Seam play nice together.