You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "David Rain (JIRA)" <ji...@apache.org> on 2019/07/09 05:45:00 UTC

[jira] [Created] (WICKET-6685) Session#destroy (used in replaceSession) deletes metadata

David Rain created WICKET-6685:
----------------------------------

             Summary: Session#destroy (used in replaceSession) deletes metadata
                 Key: WICKET-6685
                 URL: https://issues.apache.org/jira/browse/WICKET-6685
             Project: Wicket
          Issue Type: Bug
          Components: wicket
    Affects Versions: 8.0.0
         Environment: Windows 8 / JDK 8
            Reporter: David Rain


Testerd on 8.0.5.

The destroy method od Session has added some clean-up calls, e.q. metaData = null.

The destroy method is also called by replaceSession method. That means, that replaceSession deletes metadata. But metadata are used in KeyInSessionSunJceCryptFactory to store the crypt key. So now in Wicket 8 calling replaceSession (quite common security practise) means that all links generated before get broken.

I don't think this was the intention...



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)