You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Andrea Del Bene (JIRA)" <ji...@apache.org> on 2019/07/18 14:02:00 UTC

[jira] [Closed] (WICKET-6685) Session#destroy (used in replaceSession) deletes metadata

     [ https://issues.apache.org/jira/browse/WICKET-6685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrea Del Bene closed WICKET-6685.
-----------------------------------
    Resolution: Not A Bug

> Session#destroy (used in replaceSession) deletes metadata
> ---------------------------------------------------------
>
>                 Key: WICKET-6685
>                 URL: https://issues.apache.org/jira/browse/WICKET-6685
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 8.0.0
>         Environment: Windows 8 / JDK 8
>            Reporter: David Rain
>            Assignee: Andrea Del Bene
>            Priority: Major
>
> Tested on 8.5.0.
> The destroy method of Session has added some clean-up calls, e.q. metaData = null.
> The destroy method is also called by replaceSession method. That means, that replaceSession deletes metadata. But metadata are used in KeyInSessionSunJceCryptFactory to store the crypt key. So now in Wicket 8 calling replaceSession (quite common security practise) means that all links generated before get broken.
> I don't think this was the intention...



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)