<snipping earlier conversation in the interests of bevity>
" type="cite">OK so I think having the developer make that association is reasonable. (see below)There are multiple factors here: - is an HttpSession present (Yes/No) - is the WebSocket endpoint protected by a security constraint (Yes/No) - what authentication mechanism is in use (BASIC/DIGEST/FORM/ CLIENT-CERT/CONTAINER-SPECIFIC) - logout / session expiration That gives us at least 32 (actually a few won't work but ignoring that for now) combinations plus an additional 8 for each container specific authentication mechanism. We either need to be clear about what happens in each of the above cases or provide the hooks to enable the developer to make the choice (with some sensible defaults). I prefer the latter option.
I am still concerned about containers that use the HttpSession for authenticated state running web sockets after the authenticated state has been reset. As you say, this may only be in the FORM login case, but I'm not sure that there aren't other containers and other schemes where the HttpSession is used for more than that one case.
It feels like we need to require containers to close web sockets opened on the understanding of a particular authenticated state in those cases where the authenticated state has changed for whatever reason.
If this makes sense, can you think of a requirement we can put in the spec to capture this succinctly ?
In terms of supporting developers making their own association between httpsessions and web sockets, currently we have
and we can recommend developers use an HttpSessionListener to track the session to establish whatever relationship they want with it over its lifetime.
We didn't want an explicit dependency on the Servlet API which explains (perhaps not excuses) the typeless API. This seems a step better that asking developers to pull the SessionID out of the Cookie or JSession ID parameter on the request URI, but perhaps a step worse than allowing the HttpSession to be injected explicitly ?
What do others think ?
[jsr356-experts] Re: [jsr356-users] Re: WebSocket Session/HttpSession