Regarding session in JSPs, a question from Enthuware Mock Exam

The following is a question from Enthuware Mock Exam:
Consider the following JSP code: <html><body> <% Integer count = (Integer) request.getSession(false).getAttribute("count"); if(count != null ) { out.println(count); } else request.getSession(false).setAttribute("count", new Integer(1)); %> Hello! </body></html> What will it print for the very first request to this page as well as the web application that contains this page?
The correct answer is "It will print Hello and will set the count attribute in the session."
I answered: "It will throw a NullPointerException at request time."

The explanation the tool gives for the correct answer is:
Explanation:
---------------------------
Had this code been in a regular servlet like this:
public void doGet(...) { Integer count = (Integer) request.getSession(false).getAttribute("count"); if(count != null ) { out.println(count); } else request.getSession(false).setAttribute("count", new Integer(1)); }
It would have thrown an NullPointerException as request.getSession(false) would have returned null (since this is a first ever request to the servlet container.)

However, in case of JSP pages, the session is automatically created by default. I.e. <%@ page session="true" %>
---------------------------

I wasn't convinced with the explanation and hence I tried creating a JSP and it worked as per the given comments. I also observed the servlet code resulting from translating the JSP (which said HttpSession session = pageCotext.getSession()). For the session attribute of page directive, the spec says:

If true then the implicit script language variable named session of type javax.servlet.http.HttpSession references the current/new session for the page.

But I fail to understand why a JSP is given a session object when it has not been explicitly "requested" by a developer; and what does it mean to have a new session just for the page? And given that, does a request to any JSP automatically associate a session with the client, even when there is no need to have a notion of "state"?

Regards,
Prashant

This is given in the spec itself, I think you missed it

JSP Spec wrote:page directive session attribute
If true then the implicit script language variable named session of type javax.servlet.http.HttpSession references the current/new session for the page.
If false then the page does not participate in a session; the session implicit variable is unavailable, and any reference to it within the body of the JSP page is illegal and shall result in a fatal translation error.
Default is true.

So if you don't specify the session attribute in a JSP page, it will automatically create a session object. To stop the JSP from doing so, you'll have to explicitly set the session attribute of the page directive to false...

I did go through the spec, and I am convinced why that answer is what it is, but I don't see, from a design viewpoint, why a "new" session object is automatically available to all JSP pages with no existing session AND default value of "true" for the session attribute in the page directive.

Does it mean the JSP page which encounters this kind of code for the first time from a new user is the initiator of a new session for the user? or rather put another way - Is this session available to other resources for further requests from the same user?

If not, what use is a new session meant just for a JSP page, if its really not involved in any state maintenance and which ultimately is going to get destroyed at the end of _jspService method?

Is this session available to other resources for further requests from the same user?

Yes, this is a normal session so once a session is created for a user, further requests from the same user will use the same session...

Hi Prashant,

but I don't see, from a design viewpoint, why a "new" session object is automatically available to all JSP pages with no existing session AND default value of "true" for the session attribute in the page directive.

You should look at it as a convenience to the developer. The JSP (view) is normally where you show the results of the request being made. Often you want to show values of attributes which are stored in the Session object so you would have repeating code in the JSPs to get hold of the Session object.

Regards,
Frits