Wicket
  1. Wicket
  2. WICKET-5164

PageStoreManager.SessionEntry keeps outdated sessionId when container changes sessionId

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 6.7.0, 7.0.0-M1
    • Fix Version/s: 6.10.0, 7.0.0-M1
    • Component/s: wicket
    • Labels:
      None

      Description

      PageStoreManager keeps the initial sessionId for each SessionEntry.
      If the container changes the sessionId later (e.g. Tomcat's "Session Fixation Protection"), all pages continue to be stored under the the initial sessionId. This is necessary to be able to access old pages even after a change to the sessionId.

      However PageStoreManager#sessionExpired(String) passes the current sessionId to the PageStore. If it is not longer equal the original sessionId, the PageStore will fail to remove the stored pages for the session.

        Issue Links

          Activity

            People

            • Assignee:
              Sven Meier
              Reporter:
              Sven Meier
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development