Re: [servlet-dev] WebSocket and HttpSession

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [servlet-dev] WebSocket and HttpSession

From: Mark Thomas <markt@xxxxxxxxxx>
Date: Thu, 8 Jun 2023 18:44:21 +0100
Delivered-to: servlet-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/servlet-dev/>
List-help: <mailto:servlet-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/servlet-dev>, <mailto:servlet-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/servlet-dev>, <mailto:servlet-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0

On 08/06/2023 17:10, Manfred Riem wrote:

Hi Mark,

Once you do a protocol upgrade one should not try to use anything that had to do with the original Servlet request.

If someone wants 'session' management then they should implement that as part of their WebSocket application.

Ideally, yes. Unfortunately that breaks down if access to the WebSocketendpoint is authenticated as the original HTTP request is thenauthenticated and that authentication process is linked to the HTTP session.

There are lots of different strategies for handling this. I'm notadvocating for any one strategy. I am aiming for the minimal change tothe Servlet and/or WebSocket specs that would allow developers toimplement their strategy of choice.


Mark


Anyway my 2 dollars (inflation and all)

Thanks!

Kind regards,
Manfred Riem

-----Original Message-----
From: servlet-dev <servlet-dev-bounces@xxxxxxxxxxx> On Behalf Of Mark Thomas
Sent: Thursday, June 8, 2023 10:58 AM
To: servlet developer discussions <servlet-dev@xxxxxxxxxxx>
Subject: [servlet-dev] WebSocket and HttpSession

Hi all,

I'd like to see if we can find a way to resolve a long standing WebSocket issue. The full detail can be found in this issue:
https://github.com/jakartaee/websocket/issues/175

The short version is that a WebSocket session that retains a reference to the Servlet HttpSession in place when the WebSocket handshake took place needs a way to indicate that it is using the session and that the session should not be invalidated for inactivity.

My proposal is to add the following method to HttpSession:

public void access()


Calling this method would update the last accessed time to the current time.

The circumstances in which a WebSocket application may call this method would be left as an application concern as different applications are likely to want to adopt different strategies.

Thoughts?

Mark
_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev
_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev

Follow-Ups:
- Re: [servlet-dev] WebSocket and HttpSession
  - From: Manfred Riem

References:
- [servlet-dev] WebSocket and HttpSession
  - From: Mark Thomas
- Re: [servlet-dev] WebSocket and HttpSession
  - From: Manfred Riem

Prev by Date: Re: [servlet-dev] WebSocket and HttpSession
Next by Date: Re: [servlet-dev] WebSocket and HttpSession
Previous by thread: Re: [servlet-dev] WebSocket and HttpSession
Next by thread: Re: [servlet-dev] WebSocket and HttpSession
Index(es):
- Date
- Thread

Breadcrumbs