VaadinSession should only be created if needed

[Artur-]

Right now, VaadinService forces a VaadinSession to always exist: https://github.com/vaadin/flow/blob/master/flow-server/src/main/java/com/vaadin/flow/server/VaadinService.java#L695

When you are only creating TS views, you do not need a VaadinSession. In some cases you do not even need a HttpSession. While the memory overhead is probably small, and the time spent locking an unnecessary session is probably minimal, it is not really needed for anything so the time spent is just waste.

Creating the VaadinSession eagerly is not only a bit confusing: "Do I need this for a stateless app?" but also raises questions if the app is broken as you constantly see rows like this in the log:

com.vaadin.flow.server.VaadinSession     : A VaadinSession instance not associated to any service is getting unbound. Session destroy events will not be fired and UIs in the session will not get detached. This might happen if a session is deserialized but never used before it expires.

Documentation should make it clear that VaadinSession is only needed for stateful UIs and you should store other information such as login tokens outside the VaadinSession (inside the HttpSession if you so choose). The code should then follow the documentation

[haijian-vaadin]

Flow csrf might be of the reasons that VaadinSession was not removed before. Let's investigate if this is achievable (easily), if not, we should also append the conclusion here in this ticket.

[thiagonuic]

Hi! Any updates on this? We noticed this as well when implementing authentication via JWT. As said, in general the memory footprint is small, but it is strange to have a forced session creation when spring security is configured for stateless.