You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@wicket.apache.org by Dan Retzlaff <dr...@gmail.com> on 2013/06/12 06:10:01 UTC

Re: wicket-atmosphere issues

On Tue, Mar 26, 2013 at 4:31 AM, Emond Papegaaij <emond.papegaaij@topicus.nl
> wrote:

> On Monday 25 March 2013 00:59:30 Leonid Bogdanov wrote:
> > 3) In my app Apache Shiro framework is integrated via a plugin adapted
> > from "fiftyfive-wicket-shiro" project. User credentials are checked in an
> > AJAX login form. In order to prevent a session fixation attack there is a
> > call to invalidate old and create new session right before credentials
> > check: getSession().replaceSession(); // inside
> > AjaxFallbackButton.onSubmit() After integration with Atmosphere this code
> > no longer works, an exception in thrown on login attempt:
> >
> <cut IllegalStateException in Session>
> I'm not sure what happens here. It seems Wicket tries to read an attribute
> from the invalidated session. Does this happen even without a suspended
> connected?
>

I encountered this same issue, and traced it back to the AtmosphereRequest
caching and returning the original session, even after it had been
invalidated and replaced. I reported it upstream.
https://github.com/Atmosphere/atmosphere/pull/1139

Dan