[
https://issues.apache.org/jira/browse/MYFACES-4297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16886983#comment-16886983
]
Thomas Andraschko commented on MYFACES-4297:
--------------------------------------------
[~ncister]do you need it for 2.2? Not sure if we will do a release for 2.2.x
soon.
> Client Side state / stateless views should not force session creation
> ---------------------------------------------------------------------
>
> Key: MYFACES-4297
> URL: https://issues.apache.org/jira/browse/MYFACES-4297
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 2.2.12, 2.3.4
> Environment: Debian 8.4, Debian 9.9
> Tomcat 7.0.42 + JDK 1.7.0_71 (myfaces 2.2.12)
> TomEE 7.1.1 + JDK 1.8.0_212 (myfaces 2.3.4)
> Reporter: NCister
> Priority: Major
> Fix For: 2.2.13, 3.0.0-SNAPSHOT, 2.3.5
>
>
> Hi.
> It seems to be +no way+ to have stateless behavior in myfaces.
> I'm using javax.faces.STATE_SAVING_METHOD = *client* in web.xml (... as also
> described in this post:
> [https://stackoverflow.com/questions/36650846/when-does-jsf-creates-a-session-what-does-it-puts-in-a-session-map|https://stackoverflow.com/questions/36650846/when-does-jsf-creates-a-session-what-does-it-puts-in-a-session-map)])
> but myfaces always create a session to transfer the FacesContext encoding (
> why ?)
> I've noticed that it happens in *FaceletViewDeclarationLanguage*
> getResponseEncoding method.
> I've already tested my code in mojarra (2.2 and 2.3) and it works fine (it
> don't creates any session if not +explicitly+ requested through a
> SessionScope or ViewScope Bean)
> This is a big problem because any, simple, JSF (myfaces) page is virtually
> exposed to DOS or flooding attacks generating zombie sessions)
> Does in myfaces exists a way (that I don't know) to manage stateless pages?
> Thanks.
> NC
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
