[
https://issues.apache.org/jira/browse/WICKET-6685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16885039#comment-16885039
]
David Rain commented on WICKET-6685:
------------------------------------
I am temporarily able to overcome this issue with not very nice workaround.
{code:java}
@Override
public void replaceSession() {
/* Part of #destroy() code. Workaround until WICKET-6685 is fixed */
if (getSessionStore() != null) {
getSessionStore().invalidate(RequestCycle.get().getRequest());
clientInfo = null;
}
/* end of workaround */
bind();
}
{code}
Due tu private access level in Session, it is not possible to add anything else
from #destroy()
> Session#destroy (used in replaceSession) deletes metadata
> ---------------------------------------------------------
>
> Key: WICKET-6685
> URL: https://issues.apache.org/jira/browse/WICKET-6685
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 8.0.0
> Environment: Windows 8 / JDK 8
> Reporter: David Rain
> Priority: Major
>
> Tested on 8.5.0.
> The destroy method of Session has added some clean-up calls, e.q. metaData =
> null.
> The destroy method is also called by replaceSession method. That means, that
> replaceSession deletes metadata. But metadata are used in
> KeyInSessionSunJceCryptFactory to store the crypt key. So now in Wicket 8
> calling replaceSession (quite common security practise) means that all links
> generated before get broken.
> I don't think this was the intention...
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
