Session always being created on login

Question

Usually I use Java EE authentication with a custom login form and beans in my project. So I configure Glassfish to get user/password from a database (JDBC), create a jsf form that calls a login() method on a RequestScoped bean (named "LoginBean"), that calls HttpServletRequest's login() method.

When the login attempt succeeds, I set the user information in a SessionScoped bean that was injected in LoginBean, which I named "LoginService". And then, in lots of other website pages and beans I use this data by always injecting LoginService and acessing it's data.

All is fine, but I noticed that a Session is being created if a user goes to the login page, even if it hasn't attempted a login yet. My guess is that it happens because LoginService is injected in LoginBean always, on the object creation.

And because of that I have 2 questions:

1. Should I care about this session? Can this cause any problems?
2. What is the best way to do this custom login without creating a session every time a user access the login page? I mean, I could pass user info on a querystring after succeding, but that would be horrible. :)

Thx.

Answer 1

Should I care about this session? Can this cause any problems?

Depends. If your server is on relatively "cheapass" hardware, then the chance on a successful DDOS attack is bigger because more sessions could be created than the server can destroy before the hardware limits are reached.

---

What is the best way to do this custom login without creating a session every time a user access the login page?

Don't inject a session scoped bean. Put the User in session map yourself. See also "Update" part of Performing user authentication in Java EE / JSF using j_security_check for a concrete example:

public void login() throws IOException {
    FacesContext context = FacesContext.getCurrentInstance();
    ExternalContext externalContext = context.getExternalContext();
    HttpServletRequest request = (HttpServletRequest) externalContext.getRequest();

    try {
        request.login(username, password);
        User user = userService.find(username, password);
        externalContext.getSessionMap().put("user", user);
        externalContext.redirect(originalURL);
    } catch (ServletException e) {
        // Handle unknown username/password in request.login().
        context.addMessage(null, new FacesMessage("Unknown login"));
    }
}

Answer 2

Since you tagged this with CDI I am a little doubtful about doing this with:

externalContext.getSessionMap().put("user", user);

I am not familiar with glassfish nor sure what "Java EE authentication" is about. So this is just my two cents being a CDI+tomcat user.

I would say that if you want to do this with CDI you should not have the bean be @SessionScoped seing how you need to control it more fine.

The userBean: I would go for @WindowScoped from myfaces CODI (will be included in deltaspike 0.4). I would have the loginBean be @RequestScoped. I would have a second loginBean @ViewScoped (myfaces codi required).

@PreDestroy could then be used on a method on our main loginBean. If authenticated == false we should destroy the @windowScoped bean.

The @ViewScoped bean is responsible for remembering number of failed login attempts and the username. Then again this is only if I would actually mind just creating the @WindowScoped bean (I don't for my projects)