[
https://issues.apache.org/jira/browse/WW-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14107002#comment-14107002
]
Hudson commented on WW-3895:
----------------------------
SUCCESS: Integrated in Struts-JDK6-develop #79 (See
[https://builds.apache.org/job/Struts-JDK6-develop/79/])
WW-3895 Uses session id for synchronisation (lukaszlenart: rev
eecd907638d223a74b91a944476c11750adac4ab)
* core/src/main/java/org/apache/struts2/dispatcher/SessionMap.java
* core/src/test/java/org/apache/struts2/views/jsp/StrutsMockHttpSession.java
*
core/src/main/java/org/apache/struts2/interceptor/TokenSessionStoreInterceptor.java
* core/src/test/java/org/apache/struts2/dispatcher/SessionMapTest.java
> Synchronization on HttpSession object
> -------------------------------------
>
> Key: WW-3895
> URL: https://issues.apache.org/jira/browse/WW-3895
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.4.1
> Reporter: Patrick Cavanaugh
> Assignee: Lukasz Lenart
> Fix For: 2.3.18
>
>
> I noticed that in the fix for WW-3865 (and in current 2.3.4.1 code),
> synchronization is made based on the HttpSession object.
> According to
> http://yet-another-dev.blogspot.com/2009/08/synchronizing-httpsession.html
> and http://stackoverflow.com/a/616723/631628 , HttpSession isn't guaranteed
> by the specification to be the same object each time getSession() is called
> and so the synchronization might not work correctly. That post suggests
> synchronizing on the interned session ID instead. There are might be other
> places in the codebase this would have to be changed too, and not just in the
> TokenSessionInterceptor discussed in WW-3865.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
