A plea for removal of session container for Pico-Web 3

Paul, et al,

I know the session container is convenient.  But frankly, it has problems that IMO do not make it worthwhile:

1.       It’s too easy for newbies to cause memory leaks by referencing the app-level container in their objects.  We don’t want to help people hang themselves.

2.       Forced session creation makes it very easy to “DOS” a public webserver by simply having a bot check for requests and discard the session cookie.  New session created each time until the server runs out of memory.  (And yes, I forgot to set session=”false” on a jsp home page for a client, and that’s exactly what happened… a bot from the Ukraine repeatedly hit the same page, and down the server went)

Now if I’m misunderstanding the mechanics on point 2, I’m cool with repentance for posting this :-)  Otherwise, I’d REALLY like to see this feature removed.

Thanks for listening :)

                                                                                                                                                -Mike