sessiontomcatvaadintomcat9vaadin14

Prevent automatic Session creation


We are using Vaadin 14 on a Tomcat9. A session is immediately created in Tomcat as soon as the login page of our app is called up. If a lot of sessions have been created here (e.g. penetration test), the Tomcat takes a very long time to delete them. The CPU load also rises to 100%. Is it possible to prevent the automatic creation of a session and only create one after the login?

We have reduced the session timeout in Tomcat so that there are not so many open sessions.


Solution

  • You can not use Vaadin (for your Login) and no sessions. Vaadin stores the state of the UI in the session and there is no way around it:

    A user session begins when a user first makes a request to a Vaadin servlet by opening the URL of a particular UI. All server requests belonging to a particular UI class are processed by the VaadinServlet class. When a new client connects, it creates a new user session, represented by an instance of VaadinSession. Sessions are tracked using cookies stored in the browser.


    https://vaadin.com/docs/latest/advanced/application-lifecycle/#application.lifecycle.session

    So you have to prevent this and not send your users directly into the Vaadin application (first). In your case you could provide a login form or some SSO gatekeeper to "protect" your resources.