I am learning about the Java EE HttpSession (in Tomcat). It says that when we close the browser, the cookie JSessionID=12345 will be destroyed (but on the server side, a session object still retain until its lifespan ends).
Let’s say we set the session lifespan to be one hour. There is a kind of scenario that a user repeats the following action:
-
access servlet (and this servlet calls
getSession()) -
close browser (or clear cookie).
So this repetition will cause a lot of useless session objects to be created, and they will only be destroyed after their lifespan ends.
In this case, some ‘hacker’ will be able to write a program to exploit our server (keep on creating session objects until we run out of RAM). Will this scenario be possible in a real environment? Does Java EE do anything to prevent this?
Yes, that is definitively a real life scenario. I know cases where search engines killed web sites by crawling the site, because they created a new huge session on each request.
I guess there are only two ways to handle this:
I generally prefer the latter one. IMHO there are very few cases where you REALLY need to store huge objects in the session.
This is also what you will lean in books like Release it by Michael T. Nygard (very good book by the way).