[
https://issues.apache.org/jira/browse/OWB-163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12777995#action_12777995
]
Sven Linstaedt commented on OWB-163:
------------------------------------
Actual only conversation.getId() is compared against a lookup (see
ConversationManager:79)
> Conversations are not scoped to a particular session
> ----------------------------------------------------
>
> Key: OWB-163
> URL: https://issues.apache.org/jira/browse/OWB-163
> Project: OpenWebBeans
> Issue Type: Bug
> Components: Context and Scopes
> Affects Versions: 1.0.0
> Reporter: Sven Linstaedt
> Assignee: Gurkan Erdogdu
> Priority: Blocker
>
> According to the spec 6.7.4: "All long-running conversations are scoped to a
> particular HTTP servlet session and may not cross session boundaries."
> If I create a long running conversation and delete my browser cookies (or
> switch to another browser vendor) the conversation is still available by
> attaching the CID to the request URL. IMHO this is a high security risk,
> therefore I created this issue as a blocker.
> I stumbled upon this while trying to provide incremental instead of random
> CIDs to long running conversations. I am using a nightly build of the trunk.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
