Author: jcompagner
Date: Thu Oct 30 02:57:03 2008
New Revision: 709128
URL: http://svn.apache.org/viewvc?rev=709128&view=rev
Log:
WICKET-1767 Protection against Session Fixation
Modified:
wicket/trunk/wicket/src/main/java/org/apache/wicket/Session.java
Modified: wicket/trunk/wicket/src/main/java/org/apache/wicket/Session.java
URL:
http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/Session.java?rev=709128&r1=709127&r2=709128&view=diff
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/Session.java (original)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/Session.java Thu Oct 30
02:57:03 2008
@@ -58,11 +58,10 @@
* holds the Page. So [EMAIL PROTECTED] Component#getSession()} traverses the
component hierarchy to the root
* Page and then calls [EMAIL PROTECTED] Page#getSession()}.
*
- * <li><b>Access via Thread Local </b>- In the odd case where neither a
RequestCycle nor a
- * Component is available, the currently active Session for the calling thread
can be retrieved by
- * calling the static method Session.get(). This last form should only be used
if the first two
- * forms cannot be used since thread local access can involve a potentially
more expensive hash map
- * lookup.
+ * <li><b>Access via Thread Local </b>- In the odd case where neither a
RequestCycle nor a Component
+ * is available, the currently active Session for the calling thread can be
retrieved by calling the
+ * static method Session.get(). This last form should only be used if the
first two forms cannot be
+ * used since thread local access can involve a potentially more expensive
hash map lookup.
*
* <li><b>Locale </b>- A session has a Locale property to support
localization. The Locale for a
* session can be set by calling [EMAIL PROTECTED] Session#setLocale(Locale)}.
The Locale for a Session
@@ -104,9 +103,9 @@
* <li><b>Removal </b>- Pages can be removed from the Session forcibly by
calling remove(Page) or
* removeAll(), although such an action should rarely be necessary.
*
- * <li><b>Flash Messages</b>- Flash messages are messages that are stored in
session and are
- * removed after they are displayed to the user. Session acts as a store for
these messages because
- * they can last across requests.
+ * <li><b>Flash Messages</b>- Flash messages are messages that are stored in
session and are removed
+ * after they are displayed to the user. Session acts as a store for these
messages because they can
+ * last across requests.
*
* @author Jonathan Locke
* @author Eelco Hillenius
@@ -392,8 +391,8 @@
* <p>
* By calling this method, the session will be bound (made
not-temporary) if it was not bound
* yet. It is useful for cases where you want to be absolutely sure
this session object will be
- * available in next requests. If the session was already bound ([EMAIL
PROTECTED] ISessionStore#lookup(Request) returns a session}),
- * this call will be a noop.
+ * available in next requests. If the session was already bound (
+ * [EMAIL PROTECTED] ISessionStore#lookup(Request) returns a session}),
this call will be a noop.
* </p>
*/
public final void bind()
@@ -681,8 +680,7 @@
* @return The page based on the first path component (the page id), or
null if the requested
* version of the page cannot be found.
*/
- public final Page getPage(final String pageMapName, final String path,
- final int versionNumber)
+ public final Page getPage(final String pageMapName, final String path,
final int versionNumber)
{
if (log.isDebugEnabled())
{
@@ -881,6 +879,21 @@
getSessionStore().invalidate(RequestCycle.get().getRequest());
}
+
+ /**
+ * Replaces the underlying (Web)Session, invalidating the current one
and creating a new one. By
+ * calling [EMAIL PROTECTED] ISessionStore#invalidate(Request)} and
[EMAIL PROTECTED] #bind()}
+ * <p>
+ * Call upon login to protect against session fixation.
+ *
+ * @see "http://www.owasp.org/index.php/Session_Fixation";
+ */
+ public void replaceSession()
+ {
+ getSessionStore().invalidate(RequestCycle.get().getRequest());
+ bind();
+ }
+
/**
* Whether the session is invalid now, or will be invalidated by the
end of the request. Clients
* should rarely need to use this method if ever.
