[
https://issues.apache.org/jira/browse/WW-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart updated WW-3895:
------------------------------
Fix Version/s: (was: 2.3.15)
2.3.x
> Synchronization on HttpSession object
> -------------------------------------
>
> Key: WW-3895
> URL: https://issues.apache.org/jira/browse/WW-3895
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.4.1
> Reporter: Patrick Cavanaugh
> Fix For: 2.3.x
>
>
> I noticed that in the fix for WW-3865 (and in current 2.3.4.1 code),
> synchronization is made based on the HttpSession object.
> According to
> http://yet-another-dev.blogspot.com/2009/08/synchronizing-httpsession.html
> and http://stackoverflow.com/a/616723/631628 , HttpSession isn't guaranteed
> by the specification to be the same object each time getSession() is called
> and so the synchronization might not work correctly. That post suggests
> synchronizing on the interned session ID instead. There are might be other
> places in the codebase this would have to be changed too, and not just in the
> TokenSessionInterceptor discussed in WW-3865.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
