When is session created during JSF login?

Question

In JSF, it seems that sessions are created before a successful login. i.e. simply requesting the login page causes a new session to be created.

It seems very wasteful (and vulnerable to DDoS attacks) to create a session for each request received, rather than each successfully logged in user.

The code below is pretty generic, but shows the kind of simple scenario I'm referring to.

index.xhtml:

<html>
    <body>
        <h:form id="login">
            <h:outputLabel for="username">Username</h:outputLabel>
            <p:inputText id="username" name="username" value="#{userController.username}"/>
            <h:outputLabel for="password">Password</h:outputLabel>
            <p:password id="password" name="password" value="#{userController.password}"/>

            <p:commandButton id="loginButton" value="login" action="#{loginController.login}"/>
        </h:form>
    </body>
</html>

LoginController.java

@ViewScoped
public class LoginController implements Serializable {

    String username;
    String password;

    public void login(){
        HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
        if (request.getSession(false) == null){
            System.out.println("No session.");
        } else {
            System.out.println("Session already exists.");
        }

        try {
            request.login(username, password);
        } catch (ServletException e) {
            FacesContext.getCurrentInstance.addMessage(null, new FacesMessage("Login failure", e.getMessage()));
        }
    }

    // username and password getters/setters

}

Edit: shambolic code example fixed

Answer 1

First of all, your testing methodology is completely wrong.

if (request.getSession() == null){
    System.out.println("No session.");
} else {
    System.out.println("Session already exists.");
}

Please carefully read the javadoc of the argumentless getSession() method. You'll realize that it never returns null.

Coming back to the concrete problem, by default JSF will indeed autocreate the session because the JSF view state has to be stored over there. If you set the JSF state saving method to client instead of server, then it won't be stored in session and hence no session needs to be created.

<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>client</param-value>
</context-param>

In the upcoming JSF 2.2 you could alternatively also put the bean in the request scope and use <f:view transient="true"> to go completely stateless. This is for the current JSF 2.1 version only available since Mojarra 2.1.19. See also e.g. this blog from one of Mojarra developers.