You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Erki <er...@gmail.com> on 2014/08/28 08:27:42 UTC
Clearing pagestore
Hello!
I have functionality that allows users to change their own role in the
system. After changing their role I want to clear the pagestore, so users
cannot access unauthorized pages with their back button. How should I do
that?
Re: Clearing pagestore
Posted by Martin Grigorov <mg...@apache.org>.
BTW Session#clear() seems to be no-op (broken) too in 6.x
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Thu, Aug 28, 2014 at 2:20 PM, Martin Grigorov <mg...@apache.org>
wrote:
> https://git-wip-us.apache.org/repos/asf?p=wicket.git;a=commit;h=b8382271
>
> @Sven: does it look OK ?
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
>
> On Thu, Aug 28, 2014 at 12:15 PM, Jack Berg <er...@gmail.com> wrote:
>
>> I actually did try replaceSession before but now I see that the reason it
>> did
>> not work was that I used it inside an ajax request. After doing a redirect
>> with pageparameters instead, it worked.
>>
>> --
>> View this message in context:
>> http://apache-wicket.1842946.n4.nabble.com/Clearing-pagestore-tp4667193p4667204.html
>> Sent from the Users forum mailing list archive at Nabble.com.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
Re: Clearing pagestore
Posted by Martin Grigorov <mg...@apache.org>.
https://git-wip-us.apache.org/repos/asf?p=wicket.git;a=commit;h=b8382271
@Sven: does it look OK ?
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Thu, Aug 28, 2014 at 12:15 PM, Jack Berg <er...@gmail.com> wrote:
> I actually did try replaceSession before but now I see that the reason it
> did
> not work was that I used it inside an ajax request. After doing a redirect
> with pageparameters instead, it worked.
>
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/Clearing-pagestore-tp4667193p4667204.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: Clearing pagestore
Posted by Jack Berg <er...@gmail.com>.
I actually did try replaceSession before but now I see that the reason it did
not work was that I used it inside an ajax request. After doing a redirect
with pageparameters instead, it worked.
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Clearing-pagestore-tp4667193p4667204.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Clearing pagestore
Posted by Martin Grigorov <mg...@apache.org>.
Sounds good! (Wicket 7 only)
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Thu, Aug 28, 2014 at 12:06 PM, Sven Meier <sv...@meiers.net> wrote:
> Hi,
>
>
> >org.apache.wicket.Application#sessionUnbound() should not call
> IPageManager#sessionExpired(String).
>
> agreed.
>
>
> >But if the application needs to clear the data manually for any reason
> then it is OK, i.e. PageStoreManager#sessionExpired(String) will call
> pageStore.unbind(sessionId).
>
> 1) The name #sessionExpired is misleading, in the case "clear the data
> manually for any reason" the session does not expire actually
> 2) There's no way for the application to get the correct sessionId *if*
> the session id was changed due to session fixation prevention.
>
> I'd prefer a new method IPageStoreManager#clear() which pulls the correct
> SessionEntry from the session context and then unbinds the correct
> sessionId in the pageStore.
>
> Regards
> Sven
>
>
>
> On 08/28/2014 10:35 AM, Martin Grigorov wrote:
>
>> But in this case it will try to delete the data in the page store for
>> non-existing session id, right ?
>> So it is just a no-op.
>>
>> getSession().getPageManager().sessionExpired(sessionId) is useful for
>> the
>> use case described by Erki.
>>
>> If PageStoreManager#sessionExpired(String) should be no-op then I don't
>> see
>> a reason why IPageManager#sessionExpired(String) should even exists.
>>
>> Here is my prefered solution:
>> org.apache.wicket.Application#sessionUnbound() should not call
>> IPageManager#sessionExpired(String).
>> SessionEntry as a HttpSessionBindingListener will care to clean on session
>> expiration. But if the application needs to clear the data manually for
>> any
>> reason then it is OK, i.e. PageStoreManager#sessionExpired(String) will
>> call pageStore.unbind(sessionId).
>>
>> WDYT ?
>>
>> Martin Grigorov
>> Wicket Training and Consulting
>> https://twitter.com/mtgrigorov
>>
>>
>> On Thu, Aug 28, 2014 at 11:11 AM, Sven Meier <sv...@meiers.net> wrote:
>>
>> Hi,
>>>
>>>
>>> is it OK to revert the change in org.apache.wicket.page.
>>> PageStoreManager#sessionExpired(String)
>>>
>>>> ?
>>>> This way Wicket will attempt to clear the pages twice for the same
>>>> sessionId but in case of Session
>>>> Fixation Protection it may actually clear both the pages of the old and
>>>> new sessions.
>>>>
>>>> it's not OK to revert it:
>>> The sessionId passed to this method nay not be the original one when the
>>> session was created. The pageStoreManager uses the original sessionId
>>> only,
>>> so I don't think any other id should be passed to the pageStore.
>>>
>>> Regards
>>> Sven
>>>
>>>
>>>
>>> On 08/28/2014 08:47 AM, Martin Grigorov wrote:
>>>
>>> Hi,
>>>>
>>>> Using org.apache.wicket.Session#replaceSession() will do it. But it
>>>> will
>>>> replace the whole http session so this could be too much.
>>>>
>>>> To clear just the page store you need to do some more work:
>>>> extend org.apache.wicket.DefaultPageManagerProvider and
>>>> override org.apache.wicket.DefaultPageManagerProvider#
>>>> newPageStore(IDataStore)
>>>> just to keep a reference to the created IPageStore and later to use its
>>>> org.apache.wicket.pageStore.IPageStore#unbind(String sessionId)
>>>>
>>>> Before https://issues.apache.org/jira/browse/WICKET-5164 it was much
>>>> easier: getSession().getPageManager().sessionExpired(sessionId)
>>>> But unfortunately this method is no-op at the moment.
>>>>
>>>> @Sven: is it OK to revert the change
>>>> in org.apache.wicket.page.PageStoreManager#sessionExpired(String) ?
>>>> This way Wicket will attempt to clear the pages twice for the same
>>>> sessionId but in case of Session Fixation Protection it may actually
>>>> clear
>>>> both the pages of the old and new sessions.
>>>>
>>>> Martin Grigorov
>>>> Wicket Training and Consulting
>>>> https://twitter.com/mtgrigorov
>>>>
>>>>
>>>> On Thu, Aug 28, 2014 at 9:27 AM, Erki <er...@gmail.com> wrote:
>>>>
>>>> Hello!
>>>>
>>>>> I have functionality that allows users to change their own role in the
>>>>> system. After changing their role I want to clear the pagestore, so
>>>>> users
>>>>> cannot access unauthorized pages with their back button. How should I
>>>>> do
>>>>> that?
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: Clearing pagestore
Posted by Sven Meier <sv...@meiers.net>.
Hi,
>org.apache.wicket.Application#sessionUnbound() should not call
IPageManager#sessionExpired(String).
agreed.
>But if the application needs to clear the data manually for any reason
then it is OK, i.e. PageStoreManager#sessionExpired(String) will call
pageStore.unbind(sessionId).
1) The name #sessionExpired is misleading, in the case "clear the data
manually for any reason" the session does not expire actually
2) There's no way for the application to get the correct sessionId *if*
the session id was changed due to session fixation prevention.
I'd prefer a new method IPageStoreManager#clear() which pulls the
correct SessionEntry from the session context and then unbinds the
correct sessionId in the pageStore.
Regards
Sven
On 08/28/2014 10:35 AM, Martin Grigorov wrote:
> But in this case it will try to delete the data in the page store for
> non-existing session id, right ?
> So it is just a no-op.
>
> getSession().getPageManager().sessionExpired(sessionId) is useful for the
> use case described by Erki.
>
> If PageStoreManager#sessionExpired(String) should be no-op then I don't see
> a reason why IPageManager#sessionExpired(String) should even exists.
>
> Here is my prefered solution:
> org.apache.wicket.Application#sessionUnbound() should not call
> IPageManager#sessionExpired(String).
> SessionEntry as a HttpSessionBindingListener will care to clean on session
> expiration. But if the application needs to clear the data manually for any
> reason then it is OK, i.e. PageStoreManager#sessionExpired(String) will
> call pageStore.unbind(sessionId).
>
> WDYT ?
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
>
> On Thu, Aug 28, 2014 at 11:11 AM, Sven Meier <sv...@meiers.net> wrote:
>
>> Hi,
>>
>>
>> is it OK to revert the change in org.apache.wicket.page.PageStoreManager#sessionExpired(String)
>>> ?
>>> This way Wicket will attempt to clear the pages twice for the same
>>> sessionId but in case of Session
>>> Fixation Protection it may actually clear both the pages of the old and
>>> new sessions.
>>>
>> it's not OK to revert it:
>> The sessionId passed to this method nay not be the original one when the
>> session was created. The pageStoreManager uses the original sessionId only,
>> so I don't think any other id should be passed to the pageStore.
>>
>> Regards
>> Sven
>>
>>
>>
>> On 08/28/2014 08:47 AM, Martin Grigorov wrote:
>>
>>> Hi,
>>>
>>> Using org.apache.wicket.Session#replaceSession() will do it. But it will
>>> replace the whole http session so this could be too much.
>>>
>>> To clear just the page store you need to do some more work:
>>> extend org.apache.wicket.DefaultPageManagerProvider and
>>> override org.apache.wicket.DefaultPageManagerProvider#
>>> newPageStore(IDataStore)
>>> just to keep a reference to the created IPageStore and later to use its
>>> org.apache.wicket.pageStore.IPageStore#unbind(String sessionId)
>>>
>>> Before https://issues.apache.org/jira/browse/WICKET-5164 it was much
>>> easier: getSession().getPageManager().sessionExpired(sessionId)
>>> But unfortunately this method is no-op at the moment.
>>>
>>> @Sven: is it OK to revert the change
>>> in org.apache.wicket.page.PageStoreManager#sessionExpired(String) ?
>>> This way Wicket will attempt to clear the pages twice for the same
>>> sessionId but in case of Session Fixation Protection it may actually clear
>>> both the pages of the old and new sessions.
>>>
>>> Martin Grigorov
>>> Wicket Training and Consulting
>>> https://twitter.com/mtgrigorov
>>>
>>>
>>> On Thu, Aug 28, 2014 at 9:27 AM, Erki <er...@gmail.com> wrote:
>>>
>>> Hello!
>>>> I have functionality that allows users to change their own role in the
>>>> system. After changing their role I want to clear the pagestore, so users
>>>> cannot access unauthorized pages with their back button. How should I do
>>>> that?
>>>>
>>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Clearing pagestore
Posted by Martin Grigorov <mg...@apache.org>.
But in this case it will try to delete the data in the page store for
non-existing session id, right ?
So it is just a no-op.
getSession().getPageManager().sessionExpired(sessionId) is useful for the
use case described by Erki.
If PageStoreManager#sessionExpired(String) should be no-op then I don't see
a reason why IPageManager#sessionExpired(String) should even exists.
Here is my prefered solution:
org.apache.wicket.Application#sessionUnbound() should not call
IPageManager#sessionExpired(String).
SessionEntry as a HttpSessionBindingListener will care to clean on session
expiration. But if the application needs to clear the data manually for any
reason then it is OK, i.e. PageStoreManager#sessionExpired(String) will
call pageStore.unbind(sessionId).
WDYT ?
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Thu, Aug 28, 2014 at 11:11 AM, Sven Meier <sv...@meiers.net> wrote:
> Hi,
>
>
> is it OK to revert the change in org.apache.wicket.page.PageStoreManager#sessionExpired(String)
>> ?
>> This way Wicket will attempt to clear the pages twice for the same
>> sessionId but in case of Session
>> Fixation Protection it may actually clear both the pages of the old and
>> new sessions.
>>
>
> it's not OK to revert it:
> The sessionId passed to this method nay not be the original one when the
> session was created. The pageStoreManager uses the original sessionId only,
> so I don't think any other id should be passed to the pageStore.
>
> Regards
> Sven
>
>
>
> On 08/28/2014 08:47 AM, Martin Grigorov wrote:
>
>> Hi,
>>
>> Using org.apache.wicket.Session#replaceSession() will do it. But it will
>> replace the whole http session so this could be too much.
>>
>> To clear just the page store you need to do some more work:
>> extend org.apache.wicket.DefaultPageManagerProvider and
>> override org.apache.wicket.DefaultPageManagerProvider#
>> newPageStore(IDataStore)
>> just to keep a reference to the created IPageStore and later to use its
>> org.apache.wicket.pageStore.IPageStore#unbind(String sessionId)
>>
>> Before https://issues.apache.org/jira/browse/WICKET-5164 it was much
>> easier: getSession().getPageManager().sessionExpired(sessionId)
>> But unfortunately this method is no-op at the moment.
>>
>> @Sven: is it OK to revert the change
>> in org.apache.wicket.page.PageStoreManager#sessionExpired(String) ?
>> This way Wicket will attempt to clear the pages twice for the same
>> sessionId but in case of Session Fixation Protection it may actually clear
>> both the pages of the old and new sessions.
>>
>> Martin Grigorov
>> Wicket Training and Consulting
>> https://twitter.com/mtgrigorov
>>
>>
>> On Thu, Aug 28, 2014 at 9:27 AM, Erki <er...@gmail.com> wrote:
>>
>> Hello!
>>>
>>> I have functionality that allows users to change their own role in the
>>> system. After changing their role I want to clear the pagestore, so users
>>> cannot access unauthorized pages with their back button. How should I do
>>> that?
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: Clearing pagestore
Posted by Sven Meier <sv...@meiers.net>.
Hi,
>is it OK to revert the change in org.apache.wicket.page.PageStoreManager#sessionExpired(String) ?
>This way Wicket will attempt to clear the pages twice for the same sessionId but in case of Session
>Fixation Protection it may actually clear both the pages of the old and new sessions.
it's not OK to revert it:
The sessionId passed to this method nay not be the original one when the session was created. The pageStoreManager uses the original sessionId only, so I don't think any other id should be passed to the pageStore.
Regards
Sven
On 08/28/2014 08:47 AM, Martin Grigorov wrote:
> Hi,
>
> Using org.apache.wicket.Session#replaceSession() will do it. But it will
> replace the whole http session so this could be too much.
>
> To clear just the page store you need to do some more work:
> extend org.apache.wicket.DefaultPageManagerProvider and
> override org.apache.wicket.DefaultPageManagerProvider#newPageStore(IDataStore)
> just to keep a reference to the created IPageStore and later to use its
> org.apache.wicket.pageStore.IPageStore#unbind(String sessionId)
>
> Before https://issues.apache.org/jira/browse/WICKET-5164 it was much
> easier: getSession().getPageManager().sessionExpired(sessionId)
> But unfortunately this method is no-op at the moment.
>
> @Sven: is it OK to revert the change
> in org.apache.wicket.page.PageStoreManager#sessionExpired(String) ?
> This way Wicket will attempt to clear the pages twice for the same
> sessionId but in case of Session Fixation Protection it may actually clear
> both the pages of the old and new sessions.
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
>
> On Thu, Aug 28, 2014 at 9:27 AM, Erki <er...@gmail.com> wrote:
>
>> Hello!
>>
>> I have functionality that allows users to change their own role in the
>> system. After changing their role I want to clear the pagestore, so users
>> cannot access unauthorized pages with their back button. How should I do
>> that?
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Clearing pagestore
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
Using org.apache.wicket.Session#replaceSession() will do it. But it will
replace the whole http session so this could be too much.
To clear just the page store you need to do some more work:
extend org.apache.wicket.DefaultPageManagerProvider and
override org.apache.wicket.DefaultPageManagerProvider#newPageStore(IDataStore)
just to keep a reference to the created IPageStore and later to use its
org.apache.wicket.pageStore.IPageStore#unbind(String sessionId)
Before https://issues.apache.org/jira/browse/WICKET-5164 it was much
easier: getSession().getPageManager().sessionExpired(sessionId)
But unfortunately this method is no-op at the moment.
@Sven: is it OK to revert the change
in org.apache.wicket.page.PageStoreManager#sessionExpired(String) ?
This way Wicket will attempt to clear the pages twice for the same
sessionId but in case of Session Fixation Protection it may actually clear
both the pages of the old and new sessions.
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Thu, Aug 28, 2014 at 9:27 AM, Erki <er...@gmail.com> wrote:
> Hello!
>
> I have functionality that allows users to change their own role in the
> system. After changing their role I want to clear the pagestore, so users
> cannot access unauthorized pages with their back button. How should I do
> that?
>