[
https://issues.apache.org/jira/browse/WICKET-2013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12662794#action_12662794
]
Maarten Billemont commented on WICKET-2013:
-------------------------------------------
I understand that within the same request you can still access the Session.
Though, I expect that after restarting the request or aborting it; using
respectively a RestartResponseException or AbortException, the Session will get
cleaned up and the next response will be generated based off a session-less
request.
Especially so with the AbortException; which causes the next request to a
wicket page to come from a new HTTP request, where the HTTP session cookie
should not be present anymore.
Correct me if I'm mistaken.
If this functionality is not currently as is intended, then perhaps we should
considder making this the intended behaviour for the reasons explained in the
bug description. Mainly, that when I want to invalidate my session, I want to
stop the current request processing (because it relies on an active session,
and I clearly have the intent to get rid of it, eg, for the purpose of a logout
-- I don't want the user's login details to show on the logout page; or run the
risk of somebody else implementing my code getting access to that data after
having issued a logout).
> Session doesn't get invalidated when using RestartResponseException.
> --------------------------------------------------------------------
>
> Key: WICKET-2013
> URL: https://issues.apache.org/jira/browse/WICKET-2013
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4-RC1
> Reporter: Maarten Billemont
>
> When invalidating a session using Session.get().invalidateNow(), I normally
> want to stop processing the current request. When I do this in a constructor
> of a page which might be extended by another page, I don't want any other
> code to get exected. Not my own, not that of any possible pages extending my
> page.
> To do this, I throw an AbortException or a RestartResponseException.
> However, it seems the session isn't actually properly cleaned this way.
> The following code demonstrates the problem:
> {code:title=TinyTests.java}
> package test.spike;
> import org.apache.wicket.Page;
> import org.apache.wicket.Request;
> import org.apache.wicket.Response;
> import org.apache.wicket.RestartResponseException;
> import org.apache.wicket.Session;
> import org.apache.wicket.markup.html.WebPage;
> import org.apache.wicket.protocol.http.WebApplication;
> import org.apache.wicket.protocol.http.WebSession;
> import org.apache.wicket.util.tester.WicketTester;
> import org.junit.Test;
> public class TinyTests {
> public static class MyApp extends WebApplication {
> /**
> * {...@inheritdoc}
> */
> @Override
> public Class<? extends Page> getHomePage() {
> return MyPage.class;
> }
> /**
> * {...@inheritdoc}
> */
> @Override
> public Session newSession(Request request, Response response) {
> return new MySession(request);
> }
> }
> public static class MySession extends WebSession {
> public MySession(Request request) {
> super(request);
> }
> public static MySession get() {
> return (MySession) Session.get();
> }
> private static final long serialVersionUID = 1L;
> private String name;
> public void setName(String name) {
> this.name = name;
> }
> public String getName() {
> return name;
> }
> }
> public static class MyPage extends WebPage {
> public MyPage() {
> if (MySession.get().getName() != null) {
> Session.get().invalidateNow();
> throw new RestartResponseException(getClass());
> }
> }
> }
> @Test
> public void wicketTest() {
> WicketTester wicket = new WicketTester(new MyApp());
> wicket.processRequestCycle();
> MySession.get().setName("foo");
> wicket.processRequestCycle();
> }
> }
> {code}
> {code:title=TinyTests$MyPage.html}
> <html>
> </html>
> {code}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
