WARNING: This server is unstable and will be retired in the next days. If you want to keep this forum available, please request immediately a migration on the Nabble Support forum. Forums that don't receive any migration request will be deleted forever.
NanoContainer - PicoContainer
 » 
NanoContainer - PicoContainer - Dev

 « Return to Thread: A plea for removal of session container for Pico-Web 3

A plea for removal of session container for Pico-Web 3

by Michael Rimov :: Rate this Message:

| View in Thread

Some parts of this message have been removed. Learn more about Nabble's security policy.

Paul, et al,

 

I know the session container is convenient.  But frankly, it has problems that IMO do not make it worthwhile:

 

1.       It’s too easy for newbies to cause memory leaks by referencing the app-level container in their objects.  We don’t want to help people hang themselves.

2.       Forced session creation makes it very easy to “DOS” a public webserver by simply having a bot check for requests and discard the session cookie.  New session created each time until the server runs out of memory.  (And yes, I forgot to set session=”false” on a jsp home page for a client, and that’s exactly what happened… a bot from the Ukraine repeatedly hit the same page, and down the server went)

 

Now if I’m misunderstanding the mechanics on point 2, I’m cool with repentance for posting this :-)  Otherwise, I’d REALLY like to see this feature removed.

 

Thanks for listening :)

 

                                                                                                                                                -Mike

 

 

 « Return to Thread: A plea for removal of session container for Pico-Web 3

Free embeddable forum powered by Nabble Forum Help