in my experience all these session leaks have usually been caused by bugs in user code - such as using a singleton to store some state. however, once you can give us a test case that reproduces this we will be happy to fix it.
-igor On Wed, Dec 8, 2010 at 9:44 PM, Jason Lea <[email protected]> wrote: > Hi, > > We have wicket 1.4.12 on our site at the moment, and over the last few weeks > we had occasional reports of users seeing pages that belonged to another > user (eg when logged in, the username on the page was for another user). > > The panel that displays the username was using a property model which was > holding the Session object - after seeing some discussion on the list we > know this is bad and will change it. But in our case memory wasn't blowing > up, and it did have the username in the session. If we used the current > session users might not have noticed the bug. > > We made a change to our base page to try and catch the problem. When a page > is created with a session we stored the session id and username in the page > as fields. Then onBeforeRender we check the current session's id against > the id stored in the page - when they didn't match we would log the problem > and redirect to an error page so the user does not see another user's data. > > From this we got 5 cases over a day. Most of the cases occurred when user A > had logged out between 10 secs to 1 minute, user B would see a page > belonging to user A. In some cases the user A had not logged out, but a new > page had been instantiated in the same time frame. My guess here would be > it has to do with evicting pages when the pagemap is full - logging out > removes everything, creating pages will remove pages when there is no more > space. > > 2 days ago we checked where our disk page store files were stored and it had > about 500Mb of files there (which is consistent with our settings). We > deleted files that were more than 2 days old - which reduced this to 40Mb. > We didn't get any new cases occurring, but will keep looking. > > We can manage the situation by leaving this code to redirect on error and > monitor the number of cases we get. We will look at going to Wicket 1.4.14 > soon. > > Is there some place we could/should add logging (DiskPageStore?) that might > detect this problem earlier? > > -- > Jason Lea > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
