You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Lukasz Lenart (JIRA)" <ji...@apache.org> on 2014/08/13 20:54:14 UTC
[jira] [Comment Edited] (WW-3895) Synchronization on HttpSession
object
[ https://issues.apache.org/jira/browse/WW-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14095926#comment-14095926 ]
Lukasz Lenart edited comment on WW-3895 at 8/13/14 6:52 PM:
------------------------------------------------------------
Looks like {{final Object lock = request.getSession().getId().intern();}} is safe
http://www.codeinstructions.com/2009/01/busting-javalangstringintern-myths.html
was (Author: lukaszlenart):
Looks like {{final Object lock = request.getSession().getId().intern(); }} is safe
http://www.codeinstructions.com/2009/01/busting-javalangstringintern-myths.html
> Synchronization on HttpSession object
> -------------------------------------
>
> Key: WW-3895
> URL: https://issues.apache.org/jira/browse/WW-3895
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.4.1
> Reporter: Patrick Cavanaugh
> Fix For: 2.3.18
>
>
> I noticed that in the fix for WW-3865 (and in current 2.3.4.1 code), synchronization is made based on the HttpSession object.
> According to http://yet-another-dev.blogspot.com/2009/08/synchronizing-httpsession.html and http://stackoverflow.com/a/616723/631628 , HttpSession isn't guaranteed by the specification to be the same object each time getSession() is called and so the synchronization might not work correctly. That post suggests synchronizing on the interned session ID instead. There are might be other places in the codebase this would have to be changed too, and not just in the TokenSessionInterceptor discussed in WW-3865.
--
This message was sent by Atlassian JIRA
(v6.2#6252)