[
https://issues.apache.org/jira/browse/OWB-163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12777989#action_12777989
]
Sven Linstaedt commented on OWB-163:
------------------------------------
>From a security point of view this sounds understandable.
But what is with the term "may not cross session boundaries"? The present
implementation of OWB allows the conversation to cross session boundaries. You
can have two different sessions active, both of them working on the same
conversation.
> Conversations are not scoped to a particular session
> ----------------------------------------------------
>
> Key: OWB-163
> URL: https://issues.apache.org/jira/browse/OWB-163
> Project: OpenWebBeans
> Issue Type: Bug
> Components: Context and Scopes
> Affects Versions: 1.0.0
> Reporter: Sven Linstaedt
> Assignee: Gurkan Erdogdu
> Priority: Blocker
>
> According to the spec 6.7.4: "All long-running conversations are scoped to a
> particular HTTP servlet session and may not cross session boundaries."
> If I create a long running conversation and delete my browser cookies (or
> switch to another browser vendor) the conversation is still available by
> attaching the CID to the request URL. IMHO this is a high security risk,
> therefore I created this issue as a blocker.
> I stumbled upon this while trying to provide incremental instead of random
> CIDs to long running conversations. I am using a nightly build of the trunk.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
