You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tapestry.apache.org by "Christophe Cordenier (JIRA)" <ji...@apache.org> on 2010/07/19 13:58:49 UTC

[jira] Commented: (TAP5-1176) async form submission creates a new session every time when cookies are disabled

    [ https://issues.apache.org/jira/browse/TAP5-1176?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12889832#action_12889832 ] 

Christophe Cordenier commented on TAP5-1176:
--------------------------------------------

Hi

Actually all the URL created by Tapestry are passed into the 'encodeURL' method of HttpResponse before being rendered. So that cookie disabling should not affect the execution of pages.

Have you a small project that demonstrates this ?

Anyway, for security concerns, using secured cookies is still the best way to preserve user session id.

> async form submission creates a new session every time when cookies are disabled
> --------------------------------------------------------------------------------
>
>                 Key: TAP5-1176
>                 URL: https://issues.apache.org/jira/browse/TAP5-1176
>             Project: Tapestry 5
>          Issue Type: Bug
>    Affects Versions: 5.1
>         Environment: windows, tomcat 6
>            Reporter: Paul Stanton
>
> If cookies are disabled on a server, tapestry fails to continue an existing session when a form is submitted via ajax. a new session is created every time the form is submitted.
> The following example works fine (session id does not change) when cookies are enabled for the webapp container, but does not work (new session id every submit) when cookies are disabled.
> public class Start
> {
>    private final static Logger LOG = Logger.getLogger(Start.class);
>    @Inject
>    private ComponentResources resources;
>    @Inject
>    @Property
>    private HttpServletRequest httpRequest;
>    Object onSuccessFromMyForm()
>    {
>        LOG.debug(httpRequest.getSession().getId());
>        return new MultiZoneUpdate("myZone", resources.getEmbeddedComponent("myZone"));
>    }
> } 
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
> <html xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd" xmlns:p="tapestry:parameter">
>    <head>
>    </head>
>    <body>
>    <t:form t:id="myForm" t:zone="myZone">
>        <input type="submit" />
>    </t:form>
>    <t:zone t:id="myZone">
>        ${httpRequest.session.id}
>    </t:zone>
>    </body>
> </html> 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.