Wicket
  1. Wicket
  2. WICKET-5164

PageStoreManager.SessionEntry keeps outdated sessionId when container changes sessionId

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 6.7.0, 7.0.0-M1
    • Fix Version/s: 6.10.0, 7.0.0-M1
    • Component/s: wicket
    • Labels:
      None

      Description

      PageStoreManager keeps the initial sessionId for each SessionEntry.
      If the container changes the sessionId later (e.g. Tomcat's "Session Fixation Protection"), all pages continue to be stored under the the initial sessionId. This is necessary to be able to access old pages even after a change to the sessionId.

      However PageStoreManager#sessionExpired(String) passes the current sessionId to the PageStore. If it is not longer equal the original sessionId, the PageStore will fail to remove the stored pages for the session.

        Issue Links

          Activity

          Martin Grigorov made changes -
          Link This issue breaks WICKET-5688 [ WICKET-5688 ]
          Sven Meier made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Martin Grigorov made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          Sven Meier made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Fix Version/s 7.0.0 [ 12322958 ]
          Fix Version/s 6.10.0 [ 12324643 ]
          Resolution Fixed [ 1 ]
          Sven Meier made changes -
          Affects Version/s 7.0.0 [ 12322958 ]
          Description See summary. PageStoreManager keeps the initial sessionId for each SessionEntry.
          If the container changes the sessionId later (e.g. Tomcat's "Session Fixation Protection"), all pages continue to be stored under the the initial sessionId. This is necessary to be able to access old pages even after a change to the sessionId.

          However PageStoreManager#sessionExpired(String) passes the *current* sessionId to the PageStore. If it is not longer equal the original sessionId, the PageStore will fail to remove the stored pages for the session.
          Sven Meier made changes -
          Field Original Value New Value
          Link This issue relates to WICKET-5103 [ WICKET-5103 ]
          Sven Meier created issue -

            People

            • Assignee:
              Sven Meier
              Reporter:
              Sven Meier
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development