> > In the last of these 4 cases, do you mean that the implicit > > JSP session > > object returns null, or that request.getSession(false) > > returns null? I > > could understand the first behaviour but would be surprised > > by the second.
actually forget I said that, I made a mistake, getSession(false) of course can return null. sorry for the confusion. PS I've done some testing of my own, I think one thing I might have misunderstood is that if there is no session associated with a request, a new one is only created by a call to getSession(true) or getSession() - if you don't do this, then TC will not create a session. In other words, TC only creates sessions when you ask for them, rather than doing this as some sort of automatic background task. Is that right? If so then this might be the source of my confusion with your earlier comments. > Add this and TC won't create session by default: <%@ page > session="false" %> OK, but that does only work in JSPs. I was talking about servlets too (my apps contain both). Given that JSPs are in fact servlets, my guess (although I don't know for a fact) is that the JSP's underlying servlet class makes a call to request.getSession() each time the JSP is accessed, and the underlying servlet stores the result in the JSP's implicit session object. I would also guess that it calls getSession(false) rather than getSession(true) if you make your page declaration above. So if I am right, this would mean that TC shouldn't create sessions when there is none already, and I think that is what you are saying too(?) But this is not the same as saying that TC will not create sessions until you authenticate, unless *all* your JSPs use the page directive above and you have no servlets which could be calling request.getSession(true). --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]