Conserving Sessions

Sessions are somewhat precious. And it is a good idea to conserve them. If you agree with that premise -- and your site requires logging in just to enter it at all -- read on.

Are you aware of this JSP directive?

<%@ page session="false"%>

This instructs the JSP not to automatically create a session when this JSP is invoked. In the absence of this directive, a session will be created.

So, as you can imagine, if you have a page such as a Log In page that is a JSP, this directive needs be included in that JSP.

Otherwise, someone simply getting to this page is going to create a session on your server. And, if they choose to not Log In --- this session is going to live on your server until it reaches the session timeout value.

Corollaries:

1) The page they land on after you do a 'session.invalidate()' needs to have this directive

2) If the log in fails, make sure you have not created a session while processing the log in request, or if you have, invalidate it.

3) The 'Session Expired' page would need this too.

4) Make sure that you do not create a session while processing a 'Log Out' request from an expired session.