Patrick Cavanaugh created WW-3895:
-------------------------------------
Summary: Synchronization on HttpSession object
Key: WW-3895
URL: https://issues.apache.org/jira/browse/WW-3895
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.3.4.1
Reporter: Patrick Cavanaugh
I noticed that in the fix for WW-3865 (and in current 2.3.4.1 code),
synchronization is made based on the HttpSession object.
According to
http://yet-another-dev.blogspot.com/2009/08/synchronizing-httpsession.html and
http://stackoverflow.com/a/616723/631628 , HttpSession isn't guaranteed by the
specification to be the same object each time getSession() is called and so the
synchronization might not work correctly. That post suggests synchronizing on
the interned session ID instead. There are might be other places in the
codebase this would have to be changed too, and not just in the
TokenSessionInterceptor discussed in WW-3865.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
