Some parts of this message have been removed.
Learn more about Nabble's security policy.
Paul, et al,
I know the session container is convenient. But frankly, it has problems that IMO do not make it worthwhile:
1.It’s too easy for newbies to cause memory leaks by referencing the app-level container in their objects. We don’t want to help people hang themselves.
2.Forced session creation makes it very easy to “DOS” a public webserver by simply having a bot check for requests and discard the session cookie. New session created each time until the server runs out of memory. (And yes, I forgot to set session=”false” on a jsp home page for a client, and that’s exactly what happened… a bot from the Ukraine repeatedly hit the same page, and down the server went)
Now if I’m misunderstanding the mechanics on point 2, I’m cool with repentance for posting this :-) Otherwise, I’d REALLY like to see this feature removed.