You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by rima77 <ri...@hotmail.com> on 2009/02/10 22:52:00 UTC
Re: Invoulentary session sharing/leakage in Wicket 1.3.x
was this problem solved in Wicket 1.3.4?
is there a jira issue associated with this problem?
Martin Makundi wrote:
>
> Ok. I meant the WicketServlet fix. Haven't seen the wicketFilter fix.
>
> **
> Martin
>
> 2008/5/17 Johan Compagner <jc...@gmail.com>:
>> It is not a workaround!
>> The wicketfilter fix is a real fix for that situation. There is no
>> root cause or real cause that i need to fix, at least not that i know
>> of
>>
>> On 5/17/08, Martin Makundi <ma...@koodaripalvelut.com> wrote:
>>> The workaround definitely catches some erroneous situations.
>>> Nevertheless, it is a workaround (does not solve the root problem).
>>>
>>> 2008/5/17 Martijn Dashorst <ma...@gmail.com>:
>>>> I see a lot of folks recommending this, but nobody confirming this
>>>> actually helps.
>>>>
>>>> Martijn
>>>>
>>>> On 5/17/08, Iman Rahmatizadeh <im...@gmail.com> wrote:
>>>>> Or just copy WicketFilter into your source, and fix it there, it'll
>>>>> override
>>>>> the default. Its a quick fix until the release comes out.
>>>>>
>>>>> Iman
>>>>>
>>>>> On Fri, May 16, 2008 at 10:25 AM, Johan Compagner
>>>>> <jc...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>
>>>>> > Or get the snapshot build from or wicketstuff maven repo
>>>>> >
>>>>> > On 5/16/08, Erik van Oosten <e....@grons.nl> wrote:
>>>>> > > Chris,
>>>>> > >
>>>>> > > If you read the thread carefuly you can extract a quick fix.
>>>>> You'll
>>>>> need
>>>>> > > it as the core developers argumented against a quick bugfix
>>>>> release.
>>>>> > > Just checkout Wicket from SVN and apply the patch (2 lines in the
>>>>> Wicket
>>>>> > > filter). Its a pain, but if you can not wait...
>>>>> > >
>>>>> > > Regards,
>>>>> > > Erik.
>>>>> > >
>>>>> > >
>>>>> > > Chris Lintz wrote:
>>>>> > >> Guys has this been resolved?? We have been having some
>>>>> customers
>>>>> > complain
>>>>> > >> as
>>>>> > >> well (some sending screen shots of others peoples data as
>>>>> proof).
>>>>> > >> Because
>>>>> > >> our users click streams are available publically at their
>>>>> control,
>>>>> we
>>>>> > had
>>>>> > >> thought jsessionids occurring in the click stream were being
>>>>> maliciously
>>>>> > >> hijacked. We plugged that hole disallowing any jsessionid to be
>>>>> part of
>>>>> > >> url
>>>>> > >> (via Servlet filter) - yes this of course means JavaScript must
>>>>> be
>>>>> > >> enabled.
>>>>> > >> This involuntary session sharing is still occurring. We are
>>>>> running
>>>>> > >> release
>>>>> > >> 1.3.2.
>>>>> > >>
>>>>> > >>
>>>>> > >>
>>>>> > > --
>>>>> > > Erik van Oosten
>>>>> > > http://day-to-day-stuff.blogspot.com/
>>>>> > >
>>>>> > >
>>>>> > >
>>>>> > >
>>>>> ---------------------------------------------------------------------
>>>>> > > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>>> > > For additional commands, e-mail: users-help@wicket.apache.org
>>>>> > >
>>>>> > >
>>>>> >
>>>>> >
>>>>> ---------------------------------------------------------------------
>>>>> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>>> > For additional commands, e-mail: users-help@wicket.apache.org
>>>>> >
>>>>> >
>>>>>
>>>>
>>>>
>>>> --
>>>> Buy Wicket in Action: http://manning.com/dashorst
>>>> Apache Wicket 1.3.3 is released
>>>> Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3.3
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p21943432.html
Sent from the Wicket - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org