Wicket
  1. Wicket
  2. WICKET-4444

Add a callback to the Session which is called when the HttpSession is invalidated

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0-beta1
    • Fix Version/s: 6.6.0, 1.5.10
    • Component/s: wicket
    • Labels:
      None

      Description

      Currently the only notification that a user session has gone is org.apache.wicket.Application#sessionUnbound(String) which gives only the http session id as context.
      With the proposed change it will be possible to have an explicit callback method in o.a.w.Session itself. It will be called after explicit usage of Session#invalidate(Now)() or http session expiration due to inactivity.
      See the proposed patch.

      One "problem" is that now the http session attribute that holds the instance of SessionBindingListener will keep a reference to the Wicket session, but I think this should not cause bigger memory footprint because the same Session instance is already kept in another attribute in the http session, so the serialization process will just link the second to the first.

      1. WICKET-4444.patch
        3 kB
        Martin Grigorov

        Activity

        Hide
        Martin Grigorov added a comment -

        It seems there is no much interest in this feature: http://markmail.org/thread/jtfrzkrw2g5khru7

        Let's postpone it for later if needed.

        Show
        Martin Grigorov added a comment - It seems there is no much interest in this feature: http://markmail.org/thread/jtfrzkrw2g5khru7 Let's postpone it for later if needed.
        Hide
        Don Ngo added a comment -

        Martin,

        I, for one, am very interested in a fix for this issue. I've been struggling for months trying to find a work around. In fact, this issue is holding me back on rolling out my first wicket application. Please consider putting this fix in ASAP. I believe others are interested in having this fix as well.

        Regards,

        Don Ngo

        Show
        Don Ngo added a comment - Martin, I, for one, am very interested in a fix for this issue. I've been struggling for months trying to find a work around. In fact, this issue is holding me back on rolling out my first wicket application. Please consider putting this fix in ASAP. I believe others are interested in having this fix as well. Regards, Don Ngo
        Hide
        Martin Grigorov added a comment -

        Hi Don,

        As you can see from my earlier comment I did a poll about this feature and there were no many interested people.

        Why do you call it a "fix" ? It is actually a new feature.
        What kind of problems do you experience at the moment ?
        Please describe your use case in the users@ mailing list.

        Show
        Martin Grigorov added a comment - Hi Don, As you can see from my earlier comment I did a poll about this feature and there were no many interested people. Why do you call it a "fix" ? It is actually a new feature. What kind of problems do you experience at the moment ? Please describe your use case in the users@ mailing list.
        Hide
        Don Ngo added a comment -

        Martin,

        Looking at this issue again, I think it may not be exactly what I'm looking for, and that is a for the user login session to expired automatically after no user activity within the timeframe as specified in the session-timeout setting in web.xml. What I've noticed in my application is that user session never expired, and so even after walking away from the computer for days, the user can still access the application without being asked to signin again. This pose a serious security issue for me.

        Granted that in my application, the users can always signout by clicking on the signout link (which basically calls Session#invalidate() to invalidate the session), that is available on top of every page, after sigining, but that is something that the users should have to do in my opinion.

        For sometime, I thought I must have done something wrong in my code, that may have caused the user session to be invalidated automatically. But many days of searching on the internet and looking through all the examples and books that I have, I couldn't find clue as to what I may have done wrong.

        I hope you can prove me wrong.

        Regards,

        Don Ngo

        Show
        Don Ngo added a comment - Martin, Looking at this issue again, I think it may not be exactly what I'm looking for, and that is a for the user login session to expired automatically after no user activity within the timeframe as specified in the session-timeout setting in web.xml. What I've noticed in my application is that user session never expired, and so even after walking away from the computer for days, the user can still access the application without being asked to signin again. This pose a serious security issue for me. Granted that in my application, the users can always signout by clicking on the signout link (which basically calls Session#invalidate() to invalidate the session), that is available on top of every page, after sigining, but that is something that the users should have to do in my opinion. For sometime, I thought I must have done something wrong in my code, that may have caused the user session to be invalidated automatically. But many days of searching on the internet and looking through all the examples and books that I have, I couldn't find clue as to what I may have done wrong. I hope you can prove me wrong. Regards, Don Ngo
        Hide
        Krys Malak added a comment -

        Hi Martin,

        we would really need this feature and your patch allows easy access to the session through the onInvalidate callback.

        But we are still on Wicket 1.5 so we would need it there

        Cheers,
        Krys

        Show
        Krys Malak added a comment - Hi Martin, we would really need this feature and your patch allows easy access to the session through the onInvalidate callback. But we are still on Wicket 1.5 so we would need it there Cheers, Krys
        Hide
        Martin Grigorov added a comment -

        The new callback method will be available in Wicket 6.6.0 and 1.5.10

        Show
        Martin Grigorov added a comment - The new callback method will be available in Wicket 6.6.0 and 1.5.10

          People

          • Assignee:
            Martin Grigorov
            Reporter:
            Martin Grigorov
          • Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development