Did you try HttpSessionStore? -Ryan On Mon, Apr 7, 2008 at 2:00 PM, Edvin Syse <[EMAIL PROTECTED]> wrote:
> is it really the wicket session or a page? > > > > I believe it's the session, but I'm not sure. The "hijacker" is able to > navigate through all pages as the hijacked user.. And on the top of every > page there is a logout button and text saying "Logout <username>". > > I'm not running in a clustered environment, just plain Jetty 6.1.7 in > setuid mode. > > I'm using the SecondLevelCacheSessionStore, but I'm thinking about trying > with the HttpSessionStore now to see if it makes any difference. > > I refer to the session object with a static getter everywhere (I think) > using MySession.get().etc.. > > -- Edvin > > > > On Mon, Apr 7, 2008 at 10:40 PM, Edvin Syse <[EMAIL PROTECTED]> wrote: > > > > Today I deployed an application based on Wicket 1.3.3 that has close to > > > 10.000 users. After a couple of hours we started getting reports from > > > users > > > saying that even upon requesting the login-page, they were already > > > logged in > > > as an arbitrary user. > > > > > > The users they were logged in as had previously performed a succesful > > > login. > > > > > > It seems like the wicket-sessions bleed over between different > > > http-sessions. I tried changing from HybridUrlCodingStrategy to > > > mounting the > > > pages with the normal mountBookmarkablePage() method, but the results > > > are > > > the same. I also tried downgrading to 1.3.2 with the same results. > > > > > > Can anyone think of a logical mistake I might have made? > > > > > > Sincerely, > > > Edvin Syse > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
