Here is what I need to do to avoid creating session before the user has been authentificated :
. add <%@ page session="false" %> to the JSP used by my login tile definition (layout & tiles) => requesting login.jsp doesn't create a session . set <controller locale="false"> in struts-config.xml . set validate="false" for the login action (. set scope="requet" for the login action) => requesting login.do doesn't create a session until I create it myself when authentification has succeded (or some action-mapping has scope="session"). Thank you all for help. Nico. > Quoting Nicolas De Loof <[EMAIL PROTECTED]>: > > > I've made a grep on Struts 1.1 sources. I noticed some case where a session > > is created that seems to me 'uncontroled' : > > > > > > RequestProcessor uses request.getSession() : > > - in processLocale if controller is configured to use Locale (default = > > true) > > > > HTMLTag uses request.getSession() : > > - in currentLocale() : if any JSP uses <html:html> a session is created ! > > > > o.a.s.validator.Ressouces uses request.getSession() : > > - in getLocale(request) : If validator is used (for example to validate login > > page) a session will allways be created > > > > > > Isn't they're any way NOT to create a session for a user that hasn't been > > authentified ? > > > > Nico. > > > > Besides the places where Struts itself creates a session, if you're using JSP > you should be aware that every JSP page will create a session unless you tell > it not to: > > <%@ page session="false" %> > > Craig > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]