Yes I did - didn't help.
-- Edvin
On Apr 13, 2008, at 3:42, "Ryan Holmes" <[EMAIL PROTECTED]> wrote:
Did you try HttpSessionStore?
-Ryan
On Mon, Apr 7, 2008 at 2:00 PM, Edvin Syse <[EMAIL PROTECTED]> wrote:
is it really the wicket session or a page?
I believe it's the session, but I'm not sure. The "hijacker" is
able to
navigate through all pages as the hijacked user.. And on the top of
every
page there is a logout button and text saying "Logout <username>".
I'm not running in a clustered environment, just plain Jetty 6.1.7 in
setuid mode.
I'm using the SecondLevelCacheSessionStore, but I'm thinking about
trying
with the HttpSessionStore now to see if it makes any difference.
I refer to the session object with a static getter everywhere (I
think)
using MySession.get().etc..
-- Edvin
On Mon, Apr 7, 2008 at 10:40 PM, Edvin Syse <[EMAIL PROTECTED]>
wrote:
Today I deployed an application based on Wicket 1.3.3 that has
close to
10.000 users. After a couple of hours we started getting reports
from
users
saying that even upon requesting the login-page, they were already
logged in
as an arbitrary user.
The users they were logged in as had previously performed a
succesful
login.
It seems like the wicket-sessions bleed over between different
http-sessions. I tried changing from HybridUrlCodingStrategy to
mounting the
pages with the normal mountBookmarkablePage() method, but the
results
are
the same. I also tried downgrading to 1.3.2 with the same results.
Can anyone think of a logical mistake I might have made?
Sincerely,
Edvin Syse
---
------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
