You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Andrea Del Bene (JIRA)" <ji...@apache.org> on 2019/07/18 14:02:00 UTC
[jira] [Closed] (WICKET-6685) Session#destroy (used in
replaceSession) deletes metadata
[ https://issues.apache.org/jira/browse/WICKET-6685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrea Del Bene closed WICKET-6685.
-----------------------------------
Resolution: Not A Bug
> Session#destroy (used in replaceSession) deletes metadata
> ---------------------------------------------------------
>
> Key: WICKET-6685
> URL: https://issues.apache.org/jira/browse/WICKET-6685
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 8.0.0
> Environment: Windows 8 / JDK 8
> Reporter: David Rain
> Assignee: Andrea Del Bene
> Priority: Major
>
> Tested on 8.5.0.
> The destroy method of Session has added some clean-up calls, e.q. metaData = null.
> The destroy method is also called by replaceSession method. That means, that replaceSession deletes metadata. But metadata are used in KeyInSessionSunJceCryptFactory to store the crypt key. So now in Wicket 8 calling replaceSession (quite common security practise) means that all links generated before get broken.
> I don't think this was the intention...
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)