You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Patrick Cavanaugh (JIRA)" <ji...@apache.org> on 2012/10/11 23:01:03 UTC

[jira] [Created] (WW-3895) Synchronization on HttpSession object

Patrick Cavanaugh created WW-3895:
-------------------------------------

             Summary: Synchronization on HttpSession object
                 Key: WW-3895
                 URL: https://issues.apache.org/jira/browse/WW-3895
             Project: Struts 2
          Issue Type: Bug
    Affects Versions: 2.3.4.1
            Reporter: Patrick Cavanaugh


I noticed that in the fix for WW-3865 (and in current 2.3.4.1 code), synchronization is made based on the HttpSession object.

According to http://yet-another-dev.blogspot.com/2009/08/synchronizing-httpsession.html and http://stackoverflow.com/a/616723/631628 , HttpSession isn't guaranteed by the specification to be the same object each time getSession() is called and so the synchronization might not work correctly. That post suggests synchronizing on the interned session ID instead. There are might be other places in the codebase this would have to be changed too, and not just in the TokenSessionInterceptor discussed in WW-3865.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (WW-3895) Synchronization on HttpSession object

Posted by "Lukasz Lenart (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/WW-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lukasz Lenart updated WW-3895:
------------------------------

    Fix Version/s: 2.3.6
    
> Synchronization on HttpSession object
> -------------------------------------
>
>                 Key: WW-3895
>                 URL: https://issues.apache.org/jira/browse/WW-3895
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.4.1
>            Reporter: Patrick Cavanaugh
>             Fix For: 2.3.6
>
>
> I noticed that in the fix for WW-3865 (and in current 2.3.4.1 code), synchronization is made based on the HttpSession object.
> According to http://yet-another-dev.blogspot.com/2009/08/synchronizing-httpsession.html and http://stackoverflow.com/a/616723/631628 , HttpSession isn't guaranteed by the specification to be the same object each time getSession() is called and so the synchronization might not work correctly. That post suggests synchronizing on the interned session ID instead. There are might be other places in the codebase this would have to be changed too, and not just in the TokenSessionInterceptor discussed in WW-3865.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira