[Wicket-user] Re: Wicket and Tomcat session id reuse
Resin has sesion id reuse by default, see http://www.caucho.com/resin-3.0/config/webapp.xtp#session-config, search for reuse-session-id. I suspect, that Tomcat has something similar, I just cannot find the config parameter. Jan jan_bar [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I created a little application that tests various session behaviour. I notied something interesting with Tomcat. When session is invalidated and browser sends request to Tomcat with session id in cookie (the session was invalidated), Tomcat doesn't create new session with new id, it just reuse the session id. Just to be clean about that, here is part of the log: PersistentSessionListener.sessionCreated(), id = 94B93B22C9E1B8B2EFA96807764C12E9 PersistentSessionListener.sessionDestroyed(), id = 94B93B22C9E1B8B2EFA96807764C12E9 PersistentSessionListener.sessionCreated(), id = 94B93B22C9E1B8B2EFA96807764C12E9 Even if suprising behaviour, it is in my opinion correct. Why to generate new session id when I can reuse the already generated one? And now to the point. It seems to me that Wicket 1.1.1 is not prepared to handle this correctly, for instance the WebApplication.redirectMap contains entries, that are not valid for the new session if it has the same id. Can someone confirm this? I use JBoss 4.0.3SP1 Thanks, Jan --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
[Wicket-user] Re: Wicket and Tomcat session id reuse
Thanks Johan, (I cannot indent your message, because it is not plain text). I have exactly the situation you describe. I use the REDIREC_TO_BUFFER, invalidate a page a no redirect. With Jetty I get session expired page, which is expected, but with Tomcat I get back the original page. Only after subsequent refresh or button click I get the session expired. This is due to the fact, that the buffered response was not cleared from the map. Jan Johan Compagner [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] that map doesn't really matter it is only filled with something if we send out a client side redirect to a page that we already renderd (REDIREC_TO_BUFFER) So it will only go wrong if the session got invalidated in a request then a redirect is done to a page that was created for that request But i guess this is maybe even wat you want because maybe it is the ByeBye page? The problem is that a buffered response isn't even checked for a new session (or better said not yet created session) because we don't create the session at that time.. We could stored those redirect buffers in the session, but we don't want that because the session could be clusted ect and then it is constanlty touched and updated and therefor replicated. johan On 3/2/06, jan_bar [EMAIL PROTECTED] wrote: Hi, I created a little application that tests various session behaviour. I notied something interesting with Tomcat. When session is invalidated and browser sends request to Tomcat with session id in cookie (the session was invalidated), Tomcat doesn't create new session with new id, it just reuse the session id. Just to be clean about that, here is part of the log: PersistentSessionListener.sessionCreated(), id = 94B93B22C9E1B8B2EFA96807764C12E9 PersistentSessionListener.sessionDestroyed(), id = 94B93B22C9E1B8B2EFA96807764C12E9 PersistentSessionListener.sessionCreated(), id = 94B93B22C9E1B8B2EFA96807764C12E9 Even if suprising behaviour, it is in my opinion correct. Why to generate new session id when I can reuse the already generated one? And now to the point. It seems to me that Wicket 1.1.1 is not prepared to handle this correctly, for instance the WebApplication.redirectMap contains entries, that are not valid for the new session if it has the same id. Can someone confirm this? I use JBoss 4.0.3SP1 Thanks, Jan --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Re: Wicket and Tomcat session id reuse
ahh but then somehow youre session is already made again BEFORE our wicket.doGet() methodbecause we don't make a session in the doGet that only happens a few steps later when we really needto store a page in the session. Do you use filters? that do request.getSession(true) ?Maybe we should listen to session destructions on some place and really clear the mapI now just made a commit that when you do invalidate through wicket the buffered map will be cleared. So now only the time out sessions can have a buffer but that is not very likely because they aren't in a redirect.johanOn 3/2/06, jan_bar [EMAIL PROTECTED] wrote:Thanks Johan, (I cannot indent your message, because it is not plain text). I have exactlythe situation you describe. I use the REDIREC_TO_BUFFER, invalidate a page ano redirect. With Jetty I get session expired page, which is expected, but with Tomcat I get back the original page. Only after subsequent refresh orbutton click I get the session expired. This is due to the fact, that thebuffered response was not cleared from the map. JanJohan Compagner [EMAIL PROTECTED] wrote in messagenews:[EMAIL PROTECTED]that map doesn't really matter it is only filled with something if we send out a client side redirect to apage that we already renderd (REDIREC_TO_BUFFER)So it will only go wrong if the session got invalidated in a request then a redirect is done to a page that was created for that requestBut i guess this is maybe even wat you want because maybe it is the ByeByepage?The problem is that a buffered response isn't even checked for a new session (or better said not yet created session)because we don't create the session at that time..We could stored those redirect buffers in the session, but we don't wantthat because the session could be clusted ect and then it is constanlty touched and updated and therefor replicated.johanOn 3/2/06, jan_bar [EMAIL PROTECTED] wrote:Hi,I created a little application that tests various session behaviour. I notied something interesting with Tomcat. When session is invalidated andbrowser sends request to Tomcat with session id in cookie (the session wasinvalidated), Tomcat doesn't create new session with new id, it just reuse the session id. Just to be clean about that, here is part of the log:PersistentSessionListener.sessionCreated(), id =94B93B22C9E1B8B2EFA96807764C12E9PersistentSessionListener.sessionDestroyed(), id = 94B93B22C9E1B8B2EFA96807764C12E9PersistentSessionListener.sessionCreated(), id =94B93B22C9E1B8B2EFA96807764C12E9Even if suprising behaviour, it is in my opinion correct. Why to generatenew session id when I can reuse the already generated one? And now to the point. It seems to me that Wicket 1.1.1 is not prepared tohandle this correctly, for instance the WebApplication.redirectMap containsentries, that are not valid for the new session if it has the same id. Can someone confirm this?I use JBoss 4.0.3SP1Thanks, Jan---This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcastand join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642___Wicket-user mailing list Wicket-user@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/wicket-user--- This SF.Net email is sponsored by xPML, a groundbreaking scripting languagethat extends applications into web and mobile media. Attend the live webcastand join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642___ Wicket-user mailing listWicket-user@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/wicket-user
