Conversations are not scoped to a particular session
----------------------------------------------------
Key: OWB-163
URL: https://issues.apache.org/jira/browse/OWB-163
Project: OpenWebBeans
Issue Type: Bug
Components: Context and Scopes
Affects Versions: 1.0.0
Reporter: Sven Linstaedt
Assignee: Gurkan Erdogdu
Priority: Blocker
According to the spec 6.7.4: "All long-running conversations are scoped to a
particular HTTP servlet session and may not cross session boundaries."
If I create a long running conversation and delete my browser cookies (or
switch to another browser vendor) the conversation is still available by
attaching the CID to the request URL. IMHO this is a high security risk,
therefore I created this issue as a blocker.
I stumbled upon this while trying to provide incremental instead of random CIDs
to long running conversations. I am using a nightly build of the trunk.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
