You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Martin Grigorov (Created) (JIRA)" <ji...@apache.org> on 2012/03/08 11:30:57 UTC
[jira] [Created] (WICKET-4444) Add a callback to the Session which
is called when the HttpSession is invalidated
Add a callback to the Session which is called when the HttpSession is invalidated
---------------------------------------------------------------------------------
Key: WICKET-4444
URL: https://issues.apache.org/jira/browse/WICKET-4444
Project: Wicket
Issue Type: Improvement
Components: wicket
Affects Versions: 6.0.0
Reporter: Martin Grigorov
Assignee: Martin Grigorov
Fix For: 6.0.0
Currently the only notification that a user session has gone is org.apache.wicket.Application#sessionUnbound(String) which gives only the http session id as context.
With the proposed change it will be possible to have an explicit callback method in o.a.w.Session itself. It will be called after explicit usage of Session#invalidate(Now)() or http session expiration due to inactivity.
See the proposed patch.
One "problem" is that now the http session attribute that holds the instance of SessionBindingListener will keep a reference to the Wicket session, but I think this should not cause bigger memory footprint because the same Session instance is already kept in another attribute in the http session, so the serialization process will just link the second to the first.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4444) Add a callback to the Session
which is called when the HttpSession is invalidated
Posted by "Don Ngo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13259675#comment-13259675 ]
Don Ngo commented on WICKET-4444:
---------------------------------
Martin,
I, for one, am very interested in a fix for this issue. I've been struggling for months trying to find a work around. In fact, this issue is holding me back on rolling out my first wicket application. Please consider putting this fix in ASAP. I believe others are interested in having this fix as well.
Regards,
Don Ngo
> Add a callback to the Session which is called when the HttpSession is invalidated
> ---------------------------------------------------------------------------------
>
> Key: WICKET-4444
> URL: https://issues.apache.org/jira/browse/WICKET-4444
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 6.0.0-beta1
> Reporter: Martin Grigorov
> Assignee: Martin Grigorov
> Attachments: WICKET-4444.patch
>
>
> Currently the only notification that a user session has gone is org.apache.wicket.Application#sessionUnbound(String) which gives only the http session id as context.
> With the proposed change it will be possible to have an explicit callback method in o.a.w.Session itself. It will be called after explicit usage of Session#invalidate(Now)() or http session expiration due to inactivity.
> See the proposed patch.
> One "problem" is that now the http session attribute that holds the instance of SessionBindingListener will keep a reference to the Wicket session, but I think this should not cause bigger memory footprint because the same Session instance is already kept in another attribute in the http session, so the serialization process will just link the second to the first.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4444) Add a callback to the Session
which is called when the HttpSession is invalidated
Posted by "Don Ngo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13260893#comment-13260893 ]
Don Ngo commented on WICKET-4444:
---------------------------------
Martin,
Looking at this issue again, I think it may not be exactly what I'm looking for, and that is a for the user login session to expired automatically after no user activity within the timeframe as specified in the session-timeout setting in web.xml. What I've noticed in my application is that user session never expired, and so even after walking away from the computer for days, the user can still access the application without being asked to signin again. This pose a serious security issue for me.
Granted that in my application, the users can always signout by clicking on the signout link (which basically calls Session#invalidate() to invalidate the session), that is available on top of every page, after sigining, but that is something that the users should have to do in my opinion.
For sometime, I thought I must have done something wrong in my code, that may have caused the user session to be invalidated automatically. But many days of searching on the internet and looking through all the examples and books that I have, I couldn't find clue as to what I may have done wrong.
I hope you can prove me wrong.
Regards,
Don Ngo
> Add a callback to the Session which is called when the HttpSession is invalidated
> ---------------------------------------------------------------------------------
>
> Key: WICKET-4444
> URL: https://issues.apache.org/jira/browse/WICKET-4444
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 6.0.0-beta1
> Reporter: Martin Grigorov
> Assignee: Martin Grigorov
> Attachments: WICKET-4444.patch
>
>
> Currently the only notification that a user session has gone is org.apache.wicket.Application#sessionUnbound(String) which gives only the http session id as context.
> With the proposed change it will be possible to have an explicit callback method in o.a.w.Session itself. It will be called after explicit usage of Session#invalidate(Now)() or http session expiration due to inactivity.
> See the proposed patch.
> One "problem" is that now the http session attribute that holds the instance of SessionBindingListener will keep a reference to the Wicket session, but I think this should not cause bigger memory footprint because the same Session instance is already kept in another attribute in the http session, so the serialization process will just link the second to the first.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4444) Add a callback to the Session
which is called when the HttpSession is invalidated
Posted by "Martin Grigorov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13260340#comment-13260340 ]
Martin Grigorov commented on WICKET-4444:
-----------------------------------------
Hi Don,
As you can see from my earlier comment I did a poll about this feature and there were no many interested people.
Why do you call it a "fix" ? It is actually a new feature.
What kind of problems do you experience at the moment ?
Please describe your use case in the users@ mailing list.
> Add a callback to the Session which is called when the HttpSession is invalidated
> ---------------------------------------------------------------------------------
>
> Key: WICKET-4444
> URL: https://issues.apache.org/jira/browse/WICKET-4444
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 6.0.0-beta1
> Reporter: Martin Grigorov
> Assignee: Martin Grigorov
> Attachments: WICKET-4444.patch
>
>
> Currently the only notification that a user session has gone is org.apache.wicket.Application#sessionUnbound(String) which gives only the http session id as context.
> With the proposed change it will be possible to have an explicit callback method in o.a.w.Session itself. It will be called after explicit usage of Session#invalidate(Now)() or http session expiration due to inactivity.
> See the proposed patch.
> One "problem" is that now the http session attribute that holds the instance of SessionBindingListener will keep a reference to the Wicket session, but I think this should not cause bigger memory footprint because the same Session instance is already kept in another attribute in the http session, so the serialization process will just link the second to the first.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (WICKET-4444) Add a callback to the Session which
is called when the HttpSession is invalidated
Posted by "Martin Grigorov (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4444?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Grigorov resolved WICKET-4444.
-------------------------------------
Resolution: Later
Fix Version/s: (was: 6.0.0)
It seems there is no much interest in this feature: http://markmail.org/thread/jtfrzkrw2g5khru7
Let's postpone it for later if needed.
> Add a callback to the Session which is called when the HttpSession is invalidated
> ---------------------------------------------------------------------------------
>
> Key: WICKET-4444
> URL: https://issues.apache.org/jira/browse/WICKET-4444
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 6.0.0
> Reporter: Martin Grigorov
> Assignee: Martin Grigorov
> Attachments: WICKET-4444.patch
>
>
> Currently the only notification that a user session has gone is org.apache.wicket.Application#sessionUnbound(String) which gives only the http session id as context.
> With the proposed change it will be possible to have an explicit callback method in o.a.w.Session itself. It will be called after explicit usage of Session#invalidate(Now)() or http session expiration due to inactivity.
> See the proposed patch.
> One "problem" is that now the http session attribute that holds the instance of SessionBindingListener will keep a reference to the Wicket session, but I think this should not cause bigger memory footprint because the same Session instance is already kept in another attribute in the http session, so the serialization process will just link the second to the first.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4444) Add a callback to the Session which
is called when the HttpSession is invalidated
Posted by "Martin Grigorov (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4444?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Grigorov updated WICKET-4444:
------------------------------------
Attachment: WICKET-4444.patch
> Add a callback to the Session which is called when the HttpSession is invalidated
> ---------------------------------------------------------------------------------
>
> Key: WICKET-4444
> URL: https://issues.apache.org/jira/browse/WICKET-4444
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 6.0.0
> Reporter: Martin Grigorov
> Assignee: Martin Grigorov
> Fix For: 6.0.0
>
> Attachments: WICKET-4444.patch
>
>
> Currently the only notification that a user session has gone is org.apache.wicket.Application#sessionUnbound(String) which gives only the http session id as context.
> With the proposed change it will be possible to have an explicit callback method in o.a.w.Session itself. It will be called after explicit usage of Session#invalidate(Now)() or http session expiration due to inactivity.
> See the proposed patch.
> One "problem" is that now the http session attribute that holds the instance of SessionBindingListener will keep a reference to the Wicket session, but I think this should not cause bigger memory footprint because the same Session instance is already kept in another attribute in the http session, so the serialization process will just link the second to the first.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira