[
https://issues.apache.org/jira/browse/WW-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14095926#comment-14095926
]
Lukasz Lenart commented on WW-3895:
-----------------------------------
Looks like {{final Object lock = request.getSession().getId().intern(); }} is
safe
http://www.codeinstructions.com/2009/01/busting-javalangstringintern-myths.html
> Synchronization on HttpSession object
> -------------------------------------
>
> Key: WW-3895
> URL: https://issues.apache.org/jira/browse/WW-3895
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.4.1
> Reporter: Patrick Cavanaugh
> Fix For: 2.3.18
>
>
> I noticed that in the fix for WW-3865 (and in current 2.3.4.1 code),
> synchronization is made based on the HttpSession object.
> According to
> http://yet-another-dev.blogspot.com/2009/08/synchronizing-httpsession.html
> and http://stackoverflow.com/a/616723/631628 , HttpSession isn't guaranteed
> by the specification to be the same object each time getSession() is called
> and so the synchronization might not work correctly. That post suggests
> synchronizing on the interned session ID instead. There are might be other
> places in the codebase this would have to be changed too, and not just in the
> TokenSessionInterceptor discussed in WW-3865.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
