Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-3895

Synchronization on HttpSession object

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.3.4.1
    • 2.3.20
    • None
    • None

    Description

      I noticed that in the fix for WW-3865 (and in current 2.3.4.1 code), synchronization is made based on the HttpSession object.

      According to http://yet-another-dev.blogspot.com/2009/08/synchronizing-httpsession.html and http://stackoverflow.com/a/616723/631628 , HttpSession isn't guaranteed by the specification to be the same object each time getSession() is called and so the synchronization might not work correctly. That post suggests synchronizing on the interned session ID instead. There are might be other places in the codebase this would have to be changed too, and not just in the TokenSessionInterceptor discussed in WW-3865.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. WW-3865 TokenSesion double submit sends a blank page to ie and stacktrace on server

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              lukaszlenart Lukasz Lenart
              pcavanaugh Patrick Cavanaugh
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: