git commit: [WICKET-4512] refresh session ID instead of just forgetting it

Mon, 07 May 2012 06:44:35 -0700 

Updated Branches:
  refs/heads/wicket-1.4.x 62c234ec4 -> ed102d329


[WICKET-4512] refresh session ID instead of just forgetting it


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/ed102d32
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/ed102d32
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/ed102d32

Branch: refs/heads/wicket-1.4.x
Commit: ed102d329a1920392a5c3f627c539b9330e6e5e7
Parents: 62c234e
Author: Carl-Eric Menzel <cmen...@wicketbuch.de>
Authored: Mon May 7 14:11:53 2012 +0200
Committer: Carl-Eric Menzel <cmen...@wicketbuch.de>
Committed: Mon May 7 14:11:53 2012 +0200

----------------------------------------------------------------------
 .../src/main/java/org/apache/wicket/Session.java   |   15 +++++++++++----
 1 files changed, 11 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/wicket/blob/ed102d32/wicket/src/main/java/org/apache/wicket/Session.java
----------------------------------------------------------------------
diff --git a/wicket/src/main/java/org/apache/wicket/Session.java 
b/wicket/src/main/java/org/apache/wicket/Session.java
index fd8ef96..1dae600 100644
--- a/wicket/src/main/java/org/apache/wicket/Session.java
+++ b/wicket/src/main/java/org/apache/wicket/Session.java
@@ -1204,16 +1204,23 @@ public abstract class Session implements IClusterable
         */
        protected void detach()
        {
-               // remove the session id in case a container like tomcat tries 
to be smart by doing
-               // session fixation protection by changing the session id. this 
will simply be re-read
-               // from the underlying httpsession when needed.
-               id = null;
+               refreshId();
                if (sessionInvalidated)
                {
                        invalidateNow();
                }
        }
 
+       private void refreshId()
+       {
+               // refresh the session id in case a container like tomcat tries 
to be smart by doing
+               // session fixation protection by changing the session id.
+               // first, clear the id:
+               id = null;
+               // then re-read the id from the underlying http session:
+               getId();
+       }
+
        /**
         * Marks session state as dirty so that it will be flushed at the end 
of the request.
         */

Reply via email to