You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wicket.apache.org by Andrea Del Bene <an...@gmail.com> on 2018/11/01 16:30:16 UTC
WICKET-6602
Hi,
about WICKET-6602*, can we keep session metadata on Session#destroy()?
Do you see any problem with it?
Andrea.
* https://issues.apache.org/jira/projects/WICKET/issues/WICKET-6602
Re: WICKET-6602
Posted by Sven Meier <sv...@meiers.net>.
Sounds good.
Sven
Am 02.11.18 um 15:46 schrieb Andrea Del Bene:
> +1 I also agree with Sven. I also think that we can improve the
> current code by simply using Servlet 3.1, which is the version Wicket
> 8 is based on. According to JavaDoc and commit logs
> Session#replaceSession was introduced to provide protection against
> Session Fixation. However Servlet 3.1 introduced a more efficient way
> to protect against this attack with
> HttpServletRequest#changeSessionId, so we might introduce a
> corresponding method in Session class and suggest to use it against
> session fixation. More in details it would an abstract method
> implemented in WebSession class.
>
> WDYT?
>
> more details about servlet 3.1 here:
> https://blogs.oracle.com/arungupta/whats-new-in-servlet-31-java-ee-7-moving-forward
>
> On 02/11/18 08:04, Maxim Solodovnik wrote:
>> +1
>> destroy should destroy everything
>>
>> On Fri, 2 Nov 2018 at 00:37, Sven Meier <sv...@meiers.net> wrote:
>>
>>> Hi Andrea,
>>>
>>> IMHO destroy() should stay as it is, i.e. "destroy everything".
>>>
>>> But replaceSession() shouldn't call it, following its JavaDoc "Replaces
>>> the underlying (Web)Session" it should only invalidate the
>>> sessionStore.
>>>
>>> WDYT?
>>> Sven
>>>
>>> Am 01.11.18 um 17:30 schrieb Andrea Del Bene:
>>>> Hi,
>>>>
>>>> about WICKET-6602*, can we keep session metadata on Session#destroy()?
>>>> Do you see any problem with it?
>>>>
>>>> Andrea.
>>>>
>>>>
>>>> * https://issues.apache.org/jira/projects/WICKET/issues/WICKET-6602
>>>>
>>
Re: WICKET-6602
Posted by Andrea Del Bene <an...@gmail.com>.
+1 I also agree with Sven. I also think that we can improve the current
code by simply using Servlet 3.1, which is the version Wicket 8 is based
on. According to JavaDoc and commit logs Session#replaceSession was
introduced to provide protection against Session Fixation. However
Servlet 3.1 introduced a more efficient way to protect against this
attack with HttpServletRequest#changeSessionId, so we might introduce a
corresponding method in Session class and suggest to use it against
session fixation. More in details it would an abstract method
implemented in WebSession class.
WDYT?
more details about servlet 3.1 here:
https://blogs.oracle.com/arungupta/whats-new-in-servlet-31-java-ee-7-moving-forward
On 02/11/18 08:04, Maxim Solodovnik wrote:
> +1
> destroy should destroy everything
>
> On Fri, 2 Nov 2018 at 00:37, Sven Meier <sv...@meiers.net> wrote:
>
>> Hi Andrea,
>>
>> IMHO destroy() should stay as it is, i.e. "destroy everything".
>>
>> But replaceSession() shouldn't call it, following its JavaDoc "Replaces
>> the underlying (Web)Session" it should only invalidate the sessionStore.
>>
>> WDYT?
>> Sven
>>
>> Am 01.11.18 um 17:30 schrieb Andrea Del Bene:
>>> Hi,
>>>
>>> about WICKET-6602*, can we keep session metadata on Session#destroy()?
>>> Do you see any problem with it?
>>>
>>> Andrea.
>>>
>>>
>>> * https://issues.apache.org/jira/projects/WICKET/issues/WICKET-6602
>>>
>
Re: WICKET-6602
Posted by Maxim Solodovnik <so...@gmail.com>.
+1
destroy should destroy everything
On Fri, 2 Nov 2018 at 00:37, Sven Meier <sv...@meiers.net> wrote:
> Hi Andrea,
>
> IMHO destroy() should stay as it is, i.e. "destroy everything".
>
> But replaceSession() shouldn't call it, following its JavaDoc "Replaces
> the underlying (Web)Session" it should only invalidate the sessionStore.
>
> WDYT?
> Sven
>
> Am 01.11.18 um 17:30 schrieb Andrea Del Bene:
> > Hi,
> >
> > about WICKET-6602*, can we keep session metadata on Session#destroy()?
> > Do you see any problem with it?
> >
> > Andrea.
> >
> >
> > * https://issues.apache.org/jira/projects/WICKET/issues/WICKET-6602
> >
>
--
WBR
Maxim aka solomax
Re: WICKET-6602
Posted by Sven Meier <sv...@meiers.net>.
Hi Andrea,
IMHO destroy() should stay as it is, i.e. "destroy everything".
But replaceSession() shouldn't call it, following its JavaDoc "Replaces
the underlying (Web)Session" it should only invalidate the sessionStore.
WDYT?
Sven
Am 01.11.18 um 17:30 schrieb Andrea Del Bene:
> Hi,
>
> about WICKET-6602*, can we keep session metadata on Session#destroy()?
> Do you see any problem with it?
>
> Andrea.
>
>
> * https://issues.apache.org/jira/projects/WICKET/issues/WICKET-6602
>