You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wicket.apache.org by Maxim Solodovnik <so...@gmail.com> on 2017/12/24 08:59:51 UTC
Session.replaceSession() drops pageId
Hello All,
I'm currently investigating weird behavior in our application:
WebSocket.onClose message is not being received.
What I found is: 2 pages are being created with same pageId
I'm using replaceSession(); method to prevent session fuxation
During session replacement process, pageId is being set to 0 ....
Would it be OK if I'll create PR to preserve pageId inside replaceSession
method?
Or maybe is there any better option?
--
WBR
Maxim aka solomax
Re: Session.replaceSession() drops pageId
Posted by Maxim Solodovnik <so...@gmail.com>.
https://github.com/apache/wicket/pull/252
On Sun, Dec 24, 2017 at 8:35 PM, Maxim Solodovnik <so...@gmail.com>
wrote:
> Thanks for the reply Martin :)
>
> I guess these 2 lines should be enough:
> id = null;
> sessionInvalidated = false;
> dirty = false;
> Since this method is being used to renew session id only ....
> Or some other fields should be clean up?
>
> On Sun, Dec 24, 2017 at 8:00 PM, Martin Grigorov <mg...@apache.org>
> wrote:
>
>> Hi Maxim,
>>
>> What about Session#sequence ? And even Session#style and
>> #feedbackMessages.
>> I do no see a problem to keep those too.
>>
>> Maybe instead of calling #destroy() replaceSession() should reset the
>> securiry related ones only ?
>>
>> Martin Grigorov
>> Wicket Training and Consulting
>> https://twitter.com/mtgrigorov
>>
>> On Sun, Dec 24, 2017 at 10:59 AM, Maxim Solodovnik <so...@gmail.com>
>> wrote:
>>
>> > Hello All,
>> >
>> > I'm currently investigating weird behavior in our application:
>> > WebSocket.onClose message is not being received.
>> >
>> > What I found is: 2 pages are being created with same pageId
>> >
>> > I'm using replaceSession(); method to prevent session fuxation
>> > During session replacement process, pageId is being set to 0 ....
>> >
>> > Would it be OK if I'll create PR to preserve pageId inside
>> replaceSession
>> > method?
>> > Or maybe is there any better option?
>> >
>> > --
>> > WBR
>> > Maxim aka solomax
>> >
>>
>
>
>
> --
> WBR
> Maxim aka solomax
>
--
WBR
Maxim aka solomax
Re: Session.replaceSession() drops pageId
Posted by Maxim Solodovnik <so...@gmail.com>.
Thanks for the reply Martin :)
I guess these 2 lines should be enough:
id = null;
sessionInvalidated = false;
dirty = false;
Since this method is being used to renew session id only ....
Or some other fields should be clean up?
On Sun, Dec 24, 2017 at 8:00 PM, Martin Grigorov <mg...@apache.org>
wrote:
> Hi Maxim,
>
> What about Session#sequence ? And even Session#style and #feedbackMessages.
> I do no see a problem to keep those too.
>
> Maybe instead of calling #destroy() replaceSession() should reset the
> securiry related ones only ?
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Sun, Dec 24, 2017 at 10:59 AM, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
> > Hello All,
> >
> > I'm currently investigating weird behavior in our application:
> > WebSocket.onClose message is not being received.
> >
> > What I found is: 2 pages are being created with same pageId
> >
> > I'm using replaceSession(); method to prevent session fuxation
> > During session replacement process, pageId is being set to 0 ....
> >
> > Would it be OK if I'll create PR to preserve pageId inside replaceSession
> > method?
> > Or maybe is there any better option?
> >
> > --
> > WBR
> > Maxim aka solomax
> >
>
--
WBR
Maxim aka solomax
Re: Session.replaceSession() drops pageId
Posted by Martin Grigorov <mg...@apache.org>.
Hi Maxim,
What about Session#sequence ? And even Session#style and #feedbackMessages.
I do no see a problem to keep those too.
Maybe instead of calling #destroy() replaceSession() should reset the
securiry related ones only ?
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Sun, Dec 24, 2017 at 10:59 AM, Maxim Solodovnik <so...@gmail.com>
wrote:
> Hello All,
>
> I'm currently investigating weird behavior in our application:
> WebSocket.onClose message is not being received.
>
> What I found is: 2 pages are being created with same pageId
>
> I'm using replaceSession(); method to prevent session fuxation
> During session replacement process, pageId is being set to 0 ....
>
> Would it be OK if I'll create PR to preserve pageId inside replaceSession
> method?
> Or maybe is there any better option?
>
> --
> WBR
> Maxim aka solomax
>