[
https://issues.apache.org/jira/browse/OWB-163?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gurkan Erdogdu updated OWB-163:
-------------------------------
Affects Version/s: (was: 1.0.0)
M3
> Conversations are not scoped to a particular session
> ----------------------------------------------------
>
> Key: OWB-163
> URL: https://issues.apache.org/jira/browse/OWB-163
> Project: OpenWebBeans
> Issue Type: Bug
> Components: Context and Scopes
> Affects Versions: M3
> Reporter: Sven Linstaedt
> Assignee: Gurkan Erdogdu
> Priority: Blocker
> Fix For: M4
>
>
> According to the spec 6.7.4: "All long-running conversations are scoped to a
> particular HTTP servlet session and may not cross session boundaries."
> If I create a long running conversation and delete my browser cookies (or
> switch to another browser vendor) the conversation is still available by
> attaching the CID to the request URL. IMHO this is a high security risk,
> therefore I created this issue as a blocker.
> I stumbled upon this while trying to provide incremental instead of random
> CIDs to long running conversations. I am using a nightly build of the trunk.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
