This week's book giveaways are in the Refactoring and Agile forums.
We're giving away four copies each of Re-engineering Legacy Software and Docker in Action and have the authors on-line!
See this thread and this one for details.
Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JSTL creates unwanted sessions

 
John O'Hanley
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
JSTL uses session scope. For example, the fmt tags use session scope to store a variable named "javax.servlet.jsp.jstl.fmt.request.charset".
This bothers me - a lot. Sessions should be under the full control of the application programmer. They should not be created by low-level items such as JSTL tags.
Arguments in favor of this position :
- sessions put an extra load on the server
- when cookies are not available, URLs are rewritten, and become much longer. It is often desirable to keep URLs simple and short if at
all possible, since it makes them easier for people to copy/paste out of emails (for exmaple).
I am going to pains in the current app I am building to create sessions
only when necessary. However, it seems that JSTL is creating them "without
my consent" in the background (this is unconfirmed, however).
Has anyone a comment on this issue?
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64632
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you are using JSP and Servlets you are going to have a session. The fact that JSTL tacks an attribute onto this session does not create any new sessions. It merely adds an entry in the map that the already existing session is maintaining to keep track of its attributes.
This is a cheap and simple operation.
And yes, it behooves one when writing a web app to be sure that session data does not get out of control, but that is clearly not the case here.
hth,
bear
 
Sue Spielman
Author
Ranch Hand
Posts: 56
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
John, most of the default scoping used by the JSTL is page, not session. Are you explictly setting the scope attribute to session? If not, which actions are you talking about?
Sue
 
John O'Hanley
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have seen the issue with the fmt tag. Here is an example.
<%--
Unwanted: Places bean named javax.servlet.jsp.jstl.fmt.request.charset in session scope
--%>
<%--
Copyright © <fmt:formatDate value="${now}" pattern="yyyy" /> - Hirondelle Systems
--%>
<%--
If this hard-coded style is used, the javax.servlet.jsp.jstl.fmt.request.charset
bean will not be placed in session scope
--%>
Copyright © 2004 - Hirondelle Systems
Log extracts:
WITH fmt tag, I get both session creation, and a bean placed in session scope:
Sep 30, 2003 5:00:49 PM hirondelle.webappskeleton.ui.AbstractRequestParser checkParamNamesAndValues
FINE: SESSION CreationDate: Tue Sep 30 17:00:25 EDT 2003
SESSION Object Name: javax.servlet.jsp.jstl.fmt.request.charset Value: "ISO-8859-1"
WITHOUT fmt tag, there is no bean in session scope, but session creation
is still taking place:
Sep 30, 2003 5:02:26 PM hirondelle.webappskeleton.ui.AbstractRequestParser checkParamNamesAndValues
FINE: SESSION CreationDate: Tue Sep 30 17:02:25 EDT 2003

Such sessions are not part of my program logic. I cannot see any other possible source for them except JSTL. If such is the case, I would submit that JSTL should *NOT* be behaving like this. No way Jos�.
 
John O'Hanley
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
FYI:
From the JSTL spec, section 8.4:
"After an action has called ServletResponse.setLocale(), and sessions are
enabled, it must determine the character encoding associated with the response locale (by calling ServletResponse.getCharacterEncoding()) and store it in the scoped variable javax.servlet.jsp.jstl.fmt.request.charset in session scope."
 
Ko Ko Naing
Ranch Hand
Posts: 3178
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Surelly I can say that JSTL is in page scope by default too... Unless the developers intentionally set the attributes to be session scope
 
John O'Hanley
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, according to my last quote of the JSTL spec, your comment is glaringly and incontrovertibly false.
 
Pradeep bhatt
Ranch Hand
Posts: 8927
Firefox Browser Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by John O'Hanley:
Well, according to my last quote of the JSTL spec, your comment is glaringly and incontrovertibly false.

John,
Are you able to retrieve javax.servlet.jsp.jstl.fmt.request.charset attribute value from session?
 
John O'Hanley
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes.
As shown in this log extract, the value is "ISO-8859-1", which is the default character encoding.
SESSION Object Name: javax.servlet.jsp.jstl.fmt.request.charset Value: "ISO-8859-1"
As well, I am using the Jakarta Taglibs implementation.
 
Pradeep bhatt
Ranch Hand
Posts: 8927
Firefox Browser Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This means that session is created even if do not want to. :roll:
 
Pradeep bhatt
Ranch Hand
Posts: 8927
Firefox Browser Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This attribute may be used by the <fmt:requestEncoding> action (see
Section 8.10) in a page invoked by a form included in the response to set the request
charset to the same as the response charset. This makes it possible for the container
to decode the form parameter values properly, since browsers typically encode form
field values using the response�s charset.
 
Ko Ko Naing
Ranch Hand
Posts: 3178
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Pradeep Bhat:
This means that session is created even if do not want to. :roll:

I guess so.... :roll:
 
Pradeep bhatt
Ranch Hand
Posts: 8927
Firefox Browser Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Ko Naing:

I guess so.... :roll:


Thatss bad.. any work arounds?
:roll:
 
Jeroen Wenting
Ranch Hand
Posts: 5093
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Pradeep Bhat:


Thatss bad.. any work arounds?
:roll:


Switch to ASP .NET
 
Ko Ko Naing
Ranch Hand
Posts: 3178
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Pradeep Bhat:


Thatss bad.. any work arounds?
:roll:

Switch to C# .Net, since syntax of C# is similar to that of Java...
 
John O'Hanley
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The answer:
JSPs always create a session, if one does not exist.
This default behavior is turned off using the page directive, as in
<%@ page session="false" %>
See:
http://www.javapractices.com/Topic191.cjp
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic