2012/11/19 Baron Von Awsm <baronvona...@gmail.com>: > My web app consists of a single servlet, no JSPs and no static content. The > servlet retrieves XML from POST submissions and hands the XML and IP > address of the client to an API/engine. This engine can work outside of a > web container and has no knowledge of a web container. It has its own > mechanism for managing sessions. > > For this reason, for this web application, I require no session management > overhead by Tomcat. I would like to disable all aspects (that I can) of > Tomcat session management, including session cookies and/or url rewriting. > > Searches on the topic yielded the following suggestions, > > 1. Never call getSession(). > That makes sense - if its never called then > things are never stored in the session and, perhaps, Tomcat doesn't create > some things that it might have.
+1. Unless you call getSession() or getSession(true) no new session is created. (There is a small number of components, such as FormAuthenticator, that will create a session, but all them are off by default). Note that you can implement a javax.servlet.http.HttpSessionListener (like the one in the examples webapp). Its "sessionCreated()" method will be called whenever a session is created in your webapp. If there is no session, no urlrewriting happens. The set-cookie response header is sent only when a new session is created. Regarding some processing of incoming cookie header, I think it will be parsed, but I am sure that its value is not used unless getSession(false) is called (which causes a lookup of an existing session using that ID). You should be able to ignore that overhead. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
