What actually triggers the creation of a HttpSession on WildFly 8?
htmfilho Dec 7, 2014 5:33 AMI have noticed that WildFly 8.1 is creating multiple sessions for a single user of my app. I have created a HttpSessionListener to show those sessions in the console. In a very short period of time, while the user is interacting with the application, sessions are created one after another:
User access the app at http://localhost:8080/app
[0m10:51:33,352 INFO [UserSessionListener] (default task-1) Session id created:DiI-KlnWMBwO-LPPJAyz11CI
User is authenticated when trying to access the protected page "home.xhtml" (a security constraint in web.xml)
No new session
User tries to access another protected page "/profile/profile.xhtml"
[0m10:51:53,664 INFO [UserSessionListener] (default task-2) Session id created:UOFklU_2dENgSZ728FOVjyn2
At this point, the login page appears once again.
The user is authenticated once more.
No new session
The user tries to access a non-protected page (/profile/public_profile.xhtml)
[0m10:51:56,978 INFO [UserSessionListener] (default task-3) Session id created:WOItRb0a-7SOVEqIEFqAoJLp
...and so on.
The security constraints are:
<security-constraint> <display-name>Admin Constraints</display-name> <web-resource-collection> <web-resource-name>administrators</web-resource-name> <description/> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-constraint> <display-name>Users Constraints</display-name> <web-resource-collection> <web-resource-name>users</web-resource-name> <description/> <url-pattern>/home.xhtml</url-pattern> <url-pattern>/profile/change_email.xhtml</url-pattern> <url-pattern>/profile/change_password.xhtml</url-pattern> <url-pattern>/profile/profile.xhtml</url-pattern> <url-pattern>/profile/profile_form.xhtml</url-pattern> <url-pattern>/profile/user_deactivation.xhtml</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint>
I would like to know what exactly triggers the creation of new http sessions.
I'm using Java8 + WildFly 8.1 + Mac. I'm also using the JavaEE 7 spec, with all XML descriptors updated.
Thanks in advance!