Hi,
Unfortunately, I found two days ago that there was an issue with the emptySessionPath feature I had introduced for Pluto. Browsing pluto-dev archives today, it seems others found the problem even earlier.
The issue is that sessions are getting lost when using emptySessionPath="true", unless the applications are first accessed first using crossContext.
To address this, I propose simply reusing any session id presented by the client. As an option, this could be done only if emptySessionPath is true. I have tested it, and it works very well, addressing the problem with emptySessionPath="true". I could not think of any security issue this would cause (if the client submits a bogus insecure id, then he'll be the one being impacted), since the undelying session objects would be created and handled as usual. In "normal" more (emptySessionPath set to false), this would save costly session id generation.
However, the problem is that I need to modify a method in the top level Manager interface :(
public Session createSession() must become: public Session createSession(String sessionId) (if sessionId is null, a new session id will be generated)
As the createSession() will no longer be used anywhere, and calling it in old managers would create bad behavior, I propose removing it rather than deprecating it.
Managers extending ManagerBase should work and compile as before with no changes unless they override the createSession method.
Comments, votes ?
Rémy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
