[ https://issues.apache.org/jira/browse/MYFACES-4297?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Thomas Andraschko reopened MYFACES-4297: ---------------------------------------- > Client Side state / stateless views should not force session creation > --------------------------------------------------------------------- > > Key: MYFACES-4297 > URL: https://issues.apache.org/jira/browse/MYFACES-4297 > Project: MyFaces Core > Issue Type: Bug > Components: General > Affects Versions: 2.2.12, 2.3.4 > Environment: Debian 8.4, Debian 9.9 > Tomcat 7.0.42 + JDK 1.7.0_71 (myfaces 2.2.12) > TomEE 7.1.1 + JDK 1.8.0_212 (myfaces 2.3.4) > Reporter: NCister > Assignee: Thomas Andraschko > Priority: Major > Fix For: 2.2.13, 3.0.0-SNAPSHOT, 2.3.5 > > > Hi. > It seems to be +no way+ to have stateless behavior in myfaces. > I'm using javax.faces.STATE_SAVING_METHOD = *client* in web.xml (... as also > described in this post: > [https://stackoverflow.com/questions/36650846/when-does-jsf-creates-a-session-what-does-it-puts-in-a-session-map|https://stackoverflow.com/questions/36650846/when-does-jsf-creates-a-session-what-does-it-puts-in-a-session-map)]) > but myfaces always create a session to transfer the FacesContext encoding ( > why ?) > I've noticed that it happens in *FaceletViewDeclarationLanguage* > getResponseEncoding method. > I've already tested my code in mojarra (2.2 and 2.3) and it works fine (it > don't creates any session if not +explicitly+ requested through a > SessionScope or ViewScope Bean) > This is a big problem because any, simple, JSF (myfaces) page is virtually > exposed to DOS or flooding attacks generating zombie sessions) > Does in myfaces exists a way (that I don't know) to manage stateless pages? > Thanks. > NC -- This message was sent by Atlassian JIRA (v7.6.14#76016)