Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-5164

PageStoreManager.SessionEntry keeps outdated sessionId when container changes sessionId

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.7.0, 7.0.0-M1
    • Fix Version/s: 6.10.0, 7.0.0-M1
    • Component/s: wicket
    • Labels:
      None

      Description

      PageStoreManager keeps the initial sessionId for each SessionEntry.
      If the container changes the sessionId later (e.g. Tomcat's "Session Fixation Protection"), all pages continue to be stored under the the initial sessionId. This is necessary to be able to access old pages even after a change to the sessionId.

      However PageStoreManager#sessionExpired(String) passes the current sessionId to the PageStore. If it is not longer equal the original sessionId, the PageStore will fail to remove the stored pages for the session.

        Issue Links

          Activity

          Hide
          svenmeier Sven Meier added a comment -

          PageStoreManger.SessionEntry now implements HttpSessionBindingListener to pass the correct identifier to the PageStore.

          This breaks somewhat the abstraction of IPageManagerContext . But I didn't find another solution to access the initial sessionId which is used for all access to PageStore.

          Show
          svenmeier Sven Meier added a comment - PageStoreManger.SessionEntry now implements HttpSessionBindingListener to pass the correct identifier to the PageStore. This breaks somewhat the abstraction of IPageManagerContext . But I didn't find another solution to access the initial sessionId which is used for all access to PageStore.
          Hide
          mgrigorov Martin Grigorov added a comment - - edited

          I just got:

          2013-07-11 14:48:54.278:WARN:oejuc.AbstractLifeCycle:Thread-2: FAILED org.eclipse.jetty.maven.plugin.JettyServer@16bd02f6: java.lang.NullPointerException
          java.lang.NullPointerException
          at org.apache.wicket.page.PageStoreManager$SessionEntry.valueUnbound(PageStoreManager.java:303)
          at org.eclipse.jetty.server.session.AbstractSession.unbindValue(AbstractSession.java:581)
          at org.eclipse.jetty.server.session.AbstractSession.clearAttributes(AbstractSession.java:413)
          at org.eclipse.jetty.server.session.AbstractSession.doInvalidate(AbstractSession.java:380)
          at org.eclipse.jetty.server.session.HashedSession.doInvalidate(HashedSession.java:90)
          at org.eclipse.jetty.server.session.AbstractSession.invalidate(AbstractSession.java:370)
          at org.eclipse.jetty.server.session.HashSessionManager.invalidateSessions(HashSessionManager.java:411)
          at org.eclipse.jetty.server.session.AbstractSessionManager.doStop(AbstractSessionManager.java:274)
          at org.eclipse.jetty.server.session.HashSessionManager.doStop(HashSessionManager.java:139)

          while stopping Jetty9.

          org.apache.wicket.page.PageStoreManager.SessionEntry#getPageStore() returns null.

          Show
          mgrigorov Martin Grigorov added a comment - - edited I just got: 2013-07-11 14:48:54.278:WARN:oejuc.AbstractLifeCycle:Thread-2: FAILED org.eclipse.jetty.maven.plugin.JettyServer@16bd02f6: java.lang.NullPointerException java.lang.NullPointerException at org.apache.wicket.page.PageStoreManager$SessionEntry.valueUnbound(PageStoreManager.java:303) at org.eclipse.jetty.server.session.AbstractSession.unbindValue(AbstractSession.java:581) at org.eclipse.jetty.server.session.AbstractSession.clearAttributes(AbstractSession.java:413) at org.eclipse.jetty.server.session.AbstractSession.doInvalidate(AbstractSession.java:380) at org.eclipse.jetty.server.session.HashedSession.doInvalidate(HashedSession.java:90) at org.eclipse.jetty.server.session.AbstractSession.invalidate(AbstractSession.java:370) at org.eclipse.jetty.server.session.HashSessionManager.invalidateSessions(HashSessionManager.java:411) at org.eclipse.jetty.server.session.AbstractSessionManager.doStop(AbstractSessionManager.java:274) at org.eclipse.jetty.server.session.HashSessionManager.doStop(HashSessionManager.java:139) while stopping Jetty9. org.apache.wicket.page.PageStoreManager.SessionEntry#getPageStore() returns null.
          Hide
          svenmeier Sven Meier added a comment -

          It seems Jetty9 destroys the filter/application before unbinding the session values, strange.

          Show
          svenmeier Sven Meier added a comment - It seems Jetty9 destroys the filter/application before unbinding the session values, strange.
          Hide
          svenmeier Sven Meier added a comment -

          now checks whether pageStore is destroyed already

          Show
          svenmeier Sven Meier added a comment - now checks whether pageStore is destroyed already

            People

            • Assignee:
              svenmeier Sven Meier
              Reporter:
              svenmeier Sven Meier
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development