An an example, JSPs will often create a session if one doesn't already exist.
This allows JSPs to use the implicit
As a second example, the
request.getSession() method will also automatically create a session if one doesn't already exist.
However, sessions should be managed with some care, for two main reasons:
So, the creation and destruction of sessions should likely be tightly controlled by the application.
Here's an example of a reasonable set of policies regarding sessions:
<%@ page session="false" %>directive at the top of every JSP that doesn't use a session
web.xml, ensure session time out is set to value which isn't unnecessarily long