Hi,
We have wicket 1.4.12 on our site at the moment, and over the last few
weeks we had occasional reports of users seeing pages that belonged to
another user (eg when logged in, the username on the page was for
another user).
The panel that displays the username was using a property model which
was holding the Session object - after seeing some discussion on the
list we know this is bad and will change it. But in our case memory
wasn't blowing up, and it did have the username in the session. If we
used the current session users might not have noticed the bug.
We made a change to our base page to try and catch the problem. When a
page is created with a session we stored the session id and username in
the page as fields. Then onBeforeRender we check the current session's
id against the id stored in the page - when they didn't match we would
log the problem and redirect to an error page so the user does not see
another user's data.
From this we got 5 cases over a day. Most of the cases occurred when
user A had logged out between 10 secs to 1 minute, user B would see a
page belonging to user A. In some cases the user A had not logged out,
but a new page had been instantiated in the same time frame. My guess
here would be it has to do with evicting pages when the pagemap is full
- logging out removes everything, creating pages will remove pages when
there is no more space.
2 days ago we checked where our disk page store files were stored and it
had about 500Mb of files there (which is consistent with our settings).
We deleted files that were more than 2 days old - which reduced this to
40Mb. We didn't get any new cases occurring, but will keep looking.
We can manage the situation by leaving this code to redirect on error
and monitor the number of cases we get. We will look at going to Wicket
1.4.14 soon.
Is there some place we could/should add logging (DiskPageStore?) that
might detect this problem earlier?
--
Jason Lea
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
