Sessions is created for every request even when getSession(false) is called

[mesutcelik]

Following issue has been created by @nkrijnen
Original Link : hazelcast/hazelcast#8549

The getSession method in WebFilter.RequestWrapper does not respect the boolean create parameter. As you can see, the parameter is not used anywhere in the method:

        @Override
        public HazelcastHttpSession getSession(final boolean create) {
            hazelcastSession = readSessionFromLocal();
            if (hazelcastSession == null) {
                hazelcastSession = getOrCreateHazelcastSession();
            }
            return hazelcastSession;
        }

https://github.com/hazelcast/hazelcast/blob/v3.6.3/hazelcast-wm/src/main/java/com/hazelcast/web/WebFilter.java#L460

We are currently using Hazelcast version 3.6.3.
This piece of code is identical in the latest master:

https://github.com/hazelcast/hazelcast-wm/blob/master/src/main/java/com/hazelcast/web/WebFilter.java#L473

Expected behavior

The javadoc for javax.servlet.http.HttpServletRequest#getSession(boolean) describes the expected behavior:

create - true to create a new session for this request if necessary; false to return null if there's no current session

Why is this a problem?

For most request, our software does not require a session, so we make sure to only call getSession(true) when the authentication requires a session. In all other cases we require correct Servlet-spec behavior for getSession(false). Hazelcast is now forcing a new session to be created with every request, which causes massive amounts of sessions that are not needed. All these sessions drain resources and cause server to slow down, even break.