[
https://issues.apache.org/jira/browse/OWB-163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12777988#action_12777988
]
Gurkan Erdogdu commented on OWB-163:
------------------------------------
conversation = cid + session id
Means, two different session with same cid must not be restored.
> Conversations are not scoped to a particular session
> ----------------------------------------------------
>
> Key: OWB-163
> URL: https://issues.apache.org/jira/browse/OWB-163
> Project: OpenWebBeans
> Issue Type: Bug
> Components: Context and Scopes
> Affects Versions: 1.0.0
> Reporter: Sven Linstaedt
> Assignee: Gurkan Erdogdu
> Priority: Blocker
>
> According to the spec 6.7.4: "All long-running conversations are scoped to a
> particular HTTP servlet session and may not cross session boundaries."
> If I create a long running conversation and delete my browser cookies (or
> switch to another browser vendor) the conversation is still available by
> attaching the CID to the request URL. IMHO this is a high security risk,
> therefore I created this issue as a blocker.
> I stumbled upon this while trying to provide incremental instead of random
> CIDs to long running conversations. I am using a nightly build of the trunk.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
