Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.2.12, 2.3.4
-
None
-
Debian 8.4, Debian 9.9
Tomcat 7.0.42 + JDK 1.7.0_71 (myfaces 2.2.12)
TomEE 7.1.1 + JDK 1.8.0_212 (myfaces 2.3.4)
Description
Hi.
It seems to be no way to have stateless behavior in myfaces.
I'm using javax.faces.STATE_SAVING_METHOD = client in web.xml (... as also described in this post: https://stackoverflow.com/questions/36650846/when-does-jsf-creates-a-session-what-does-it-puts-in-a-session-map) but myfaces always create a session to transfer the FacesContext encoding ( why ?)
I've noticed that it happens in FaceletViewDeclarationLanguage getResponseEncoding method.
I've already tested my code in mojarra (2.2 and 2.3) and it works fine (it don't creates any session if not explicitly requested through a SessionScope or ViewScope Bean)
This is a big problem because any, simple, JSF (myfaces) page is virtually exposed to DOS or flooding attacks generating zombie sessions)
Does in myfaces exists a way (that I don't know) to manage stateless pages?
Thanks.
NC