You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Tom Götz <to...@decoded.de> on 2018/04/23 19:53:39 UTC
Replace session after user login
Hi there,
one question concerning user login: what is the correct way of replacing the session after a successful user login? Calling org.apache.wicket.Session#replaceSession replaces the underlying web session. But what about the Wicket session itself? Will it also be replaced with a new instance?
I observed the following:
* user is already logged in with an active session
* user navigates to login page
* user logs in as a different user
* underlying http session is replaced (by calling replaceSession after login)
* but: Wicket session stays the same instance, i.e. new user uses existing Wicket session including it’s state (properties stored in custom Wicket session)
Am I missing something or doing something wrong?
Cheers,
Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Replace session after user login
Posted by Tom Götz <to...@decoded.de>.
Thank you Sven for that clarification!
Cheers,
Tom
> On 24.04.2018, at 09:06, Sven Meier <sv...@meiers.net> wrote:
>
> Hi,
>
> replaceSession's javadoc says "replaces the underlying session". That matches your observation.
>
> You have to call invalidatNow(). Note that this doesn't prevent the session object from surviving, since it is still bound to the current thread. For that you have to call ThreadContext#setSession(null).
>
> Have fun
> Sven
>
> Am 23. April 2018 21:53:39 MESZ schrieb "Tom Götz" <to...@decoded.de>:
>> Hi there,
>>
>> one question concerning user login: what is the correct way of
>> replacing the session after a successful user login? Calling
>> org.apache.wicket.Session#replaceSession replaces the underlying web
>> session. But what about the Wicket session itself? Will it also be
>> replaced with a new instance?
>>
>> I observed the following:
>> * user is already logged in with an active session
>> * user navigates to login page
>> * user logs in as a different user
>> * underlying http session is replaced (by calling replaceSession after
>> login)
>> * but: Wicket session stays the same instance, i.e. new user uses
>> existing Wicket session including it’s state (properties stored in
>> custom Wicket session)
>>
>> Am I missing something or doing something wrong?
>>
>> Cheers,
>> Tom
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Replace session after user login
Posted by Sven Meier <sv...@meiers.net>.
Hi,
replaceSession's javadoc says "replaces the underlying session". That matches your observation.
You have to call invalidatNow(). Note that this doesn't prevent the session object from surviving, since it is still bound to the current thread. For that you have to call ThreadContext#setSession(null).
Have fun
Sven
Am 23. April 2018 21:53:39 MESZ schrieb "Tom Götz" <to...@decoded.de>:
>Hi there,
>
>one question concerning user login: what is the correct way of
>replacing the session after a successful user login? Calling
>org.apache.wicket.Session#replaceSession replaces the underlying web
>session. But what about the Wicket session itself? Will it also be
>replaced with a new instance?
>
>I observed the following:
>* user is already logged in with an active session
>* user navigates to login page
>* user logs in as a different user
>* underlying http session is replaced (by calling replaceSession after
>login)
>* but: Wicket session stays the same instance, i.e. new user uses
>existing Wicket session including it’s state (properties stored in
>custom Wicket session)
>
>Am I missing something or doing something wrong?
>
>Cheers,
> Tom
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>For additional commands, e-mail: users-help@wicket.apache.org