[
https://issues.apache.org/jira/browse/WICKET-6685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16887876#comment-16887876
]
David Rain commented on WICKET-6685:
------------------------------------
[~bitstorm] Hello - thanks for the new method (wrapper). This is exactly what
we need. You can close this.
> Session#destroy (used in replaceSession) deletes metadata
> ---------------------------------------------------------
>
> Key: WICKET-6685
> URL: https://issues.apache.org/jira/browse/WICKET-6685
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 8.0.0
> Environment: Windows 8 / JDK 8
> Reporter: David Rain
> Assignee: Andrea Del Bene
> Priority: Major
>
> Tested on 8.5.0.
> The destroy method of Session has added some clean-up calls, e.q. metaData =
> null.
> The destroy method is also called by replaceSession method. That means, that
> replaceSession deletes metadata. But metadata are used in
> KeyInSessionSunJceCryptFactory to store the crypt key. So now in Wicket 8
> calling replaceSession (quite common security practise) means that all links
> generated before get broken.
> I don't think this was the intention...
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
