Accessing the portlet session on the anonymous page

Administrators may place your portlet on a page that is presented to anonymous users (similar to the Welcome page provided by WebSphere Portal). By default, when a portlet is placed on a page that does not require authentication, the portal server does not create a PortletSession until the subsequent request to the server. The administrator can change this setting with the public.session parameter in If your portlet is using the PortletSession in view mode to perform duties like maintaining state, you must write your code to check for a valid PortletSession. For example:

    PortletSession session = request.getPortletSession(false);
if (session != null) {

// do something with the session
else {
// do something else

All calls to request.getPortletSession() should pass in the boolean create parameter set to false. This ensures that if the user is not logged in, then an invalid PortletSession is not created and the variable session will be null. The rest of the code can then perform checks to make sure that session is not null before trying to use the PortletSession object.

The portlet may need to present the user with an appropriate message if it requires a valid PortletSession to operate correctly. For example:

   This content cannot be displayed until you log in.
Please report this problem to the site administrator.

In addition, the administrator will need more helpful information that the portlet can provide in the portlet log:

   Unable to locate the portlet session.  This portlet requires a session to function.
Move the portlet to an authenticated page or turn on session tracking for anonymous users.

If the portlet does not require a session for critical operation, then perhaps any subfunctions within the portlet require the session can be suppressed to anonymous users. This should be evaluated for each individual portlet.

If request.getPortletSession() or request.getPortletSession(true) are called when the user is not logged in and WebSphere Portal is not configured to use a session for anonymous users, each request from each client creates an extraneous PortletSession object that is lost and consumes JVM memory. This causes more frequent JVM garbage collection and hurts overall WebSphere Portal performance.

In order for a portlet to function without a portlet session, you must add this line to the top of all portlet JSPs.

    <%@ page session="false" %>

Without this directive, the JSP page compiler generates code that accesses the session even if you don't use it in your JSP. You also cannot access any beans with scope set to session in any of your JSP pages as shown.

<jsp:useBean ... scope="session" />

This will create sessions when you do not want them. Instead, determine whether the session exists, for example:

<% theBeanId = null;
PortletSession session = request.getPortletSession(false);
if (session != null) {
theBeanId = ("theBeanId");

// later in your code always check to see if the bean exists before using it
if (theBeanId != null) {
// use the bean