[WICKET-4512] Wicket session id not up to date due to Tomcat session fixation protection - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.4.20
Fix Version/s: 1.4.21
Component/s: wicket
Labels:
None
Environment:
Tomcat 7.0.23

Description

While using a form based login with a security constraint in web.xml and killing the session on page start the value of 'WebSession.get().getId()' is not equal to '((ServletWebRequest) RequestCycle.get().getRequest()).getHttpServletRequest().getSession(false).getId()'.

This is due to Tomcat's session fixation protection in Tomat 7.0.

We implemented the following workaround:

new HttpSessionStore() {
public Session lookup(Request request) {
String sessionId = getSessionId(request, false);
LOG.debug("AbstractHttpSessionStore#lookup() [sessionId={}]", sessionId);
if (sessionId != null) {
WebRequest webRequest = toWebRequest(request);
Session session = (Session)getAttribute(webRequest, Session.SESSION_ATTRIBUTE_NAME);

// it cannot be okay if the session id's are not equal!!!
if (null != session && !sessionId.equals(session.getId())) {
try

{ Field f = Session.class.getDeclaredField("id"); f.setAccessible(true); f.set(session, null); // it will be resolved later from the httpSession }

catch (Exception e)

{ throw new IllegalStateException(e); }

}
return session;
}
return null;
}
}

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

sessionIdProblem.zip
24/Apr/12 13:26
12 kB
Thomas Rohde
0001-WICKET-4512-don-t-store-session-id-longer-than-neede.patch
25/Apr/12 16:28
1 kB
Carl-Eric Menzel

Issue Links

is related to

WICKET-5103 Wicket session id not up to date when container changes session id

Resolved

Activity

People

Assignee:: Carl-Eric Menzel

Reporter:: Thomas Rohde

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Apr/12 13:25

Updated:: 16/Mar/13 07:48

Resolved:: 26/Apr/12 12:19