is it really the wicket session or a page?
I believe it's the session, but I'm not sure. The "hijacker" is able to navigate through all pages as the hijacked user.. And on the top of
every page there is a logout button and text saying "Logout <username>".
I'm not running in a clustered environment, just plain Jetty 6.1.7 in setuid
mode.
I'm using the SecondLevelCacheSessionStore, but I'm thinking about trying with
the HttpSessionStore now to see if it makes any difference.
I refer to the session object with a static getter everywhere (I think) using
MySession.get().etc..
-- Edvin
On Mon, Apr 7, 2008 at 10:40 PM, Edvin Syse <[EMAIL PROTECTED]> wrote:
Today I deployed an application based on Wicket 1.3.3 that has close to
10.000 users. After a couple of hours we started getting reports from users
saying that even upon requesting the login-page, they were already logged in
as an arbitrary user.
The users they were logged in as had previously performed a succesful
login.
It seems like the wicket-sessions bleed over between different
http-sessions. I tried changing from HybridUrlCodingStrategy to mounting the
pages with the normal mountBookmarkablePage() method, but the results are
the same. I also tried downgrading to 1.3.2 with the same results.
Can anyone think of a logical mistake I might have made?
Sincerely,
Edvin Syse
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
