[ https://issues.apache.org/jira/browse/WICKET-4512?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Grigorov reassigned WICKET-4512: --------------------------------------- Assignee: Carl-Eric Menzel > Wicket session id not up to date due to Tomcat session fixation protection > -------------------------------------------------------------------------- > > Key: WICKET-4512 > URL: https://issues.apache.org/jira/browse/WICKET-4512 > Project: Wicket > Issue Type: Bug > Components: wicket > Affects Versions: 1.4.20 > Environment: Tomcat 7.0.23 > Reporter: Thomas Rohde > Assignee: Carl-Eric Menzel > Attachments: > 0001-WICKET-4512-don-t-store-session-id-longer-than-neede.patch, > sessionIdProblem.zip > > > While using a form based login with a security constraint in web.xml and > killing the session on page start the value of 'WebSession.get().getId()' is > not equal to '((ServletWebRequest) > RequestCycle.get().getRequest()).getHttpServletRequest().getSession(false).getId()'. > This is due to Tomcat's session fixation protection in Tomat 7.0. > We implemented the following workaround: > new HttpSessionStore() { > public Session lookup(Request request) { > String sessionId = getSessionId(request, false); > LOG.debug("AbstractHttpSessionStore#lookup() [sessionId={}]", sessionId); > if (sessionId != null) { > WebRequest webRequest = toWebRequest(request); > Session session = (Session)getAttribute(webRequest, > Session.SESSION_ATTRIBUTE_NAME); > > // it cannot be okay if the session id's are not equal!!! > if (null != session && !sessionId.equals(session.getId())) { > try { > Field f = Session.class.getDeclaredField("id"); > f.setAccessible(true); > f.set(session, null); // it will be resolved later from the > httpSession > } catch (Exception e) { > throw new IllegalStateException(e); > } > } > return session; > } > return null; > } > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira