Okay a better attempt:
I tried your suggestion to overwrite the replaceSession method of the Session
class. It didn't work.
But now I modified the lookup method of the AbstractHttpSessionStore like the
following:
public Session lookup(Request request) {
String sessionId = getSessionId(request, false);
LOG.debug("AbstractHttpSessionStore#lookup() [sessionId={}]", sessionId);
if (sessionId != null) {
WebRequest webRequest = toWebRequest(request);
Session session = (Session)getAttribute(webRequest,
Session.SESSION_ATTRIBUTE_NAME);
// it cannot be okay if the session id's are not equal!!!
if (null != session && !sessionId.equals(session.getId())) {
try {
Field f = Session.class.getDeclaredField("id");
f.setAccessible(true);
f.set(session, null); // it will be resolved later from the
httpSession
} catch (Exception e) {
throw new IllegalStateException(e);
}
}
return session;
}
return null;
}
That seems to work. Is it a valid solution?
Thomas
-----Ursprüngliche Nachricht-----
Von: Martin Grigorov <mgrigo...@apache.org>
Gesendet: Mi 04.04.2012 11:43
Betreff: Re: Wicket session id not up to date due to Tomcat session
fixation protection
An: users@wicket.apache.org;
> Sorry.
> I didn't understand you.
>
> A quickstart will make it easier for me to help you.
>
> On Wed, Apr 4, 2012 at 11:39 AM, Thomas Rohde <t...@ordix.de> wrote:
> > Hi Martin,
> >
> > I already did that (I wrote above). But the problem still exists. I cannot
> see from where wicket gets the old and wrong session id.
> >
> > Thomas
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Martin Grigorov <mgrigo...@apache.org>
> > Gesendet: Mi 04.04.2012 11:10
> > Betreff: Re: Wicket session id not up to date due to Tomcat session
> fixation protection
> > An: users@wicket.apache.org;
> >> Hi Thomas,
> >>
> >> Temporarily until there is a fix you can override #replaceSession() to
> >> look like:
> >> super.replaceSession();
> >> Field idField = getField("id");
> >> idField.setAccessible(true);
> >> idField.set(this, null);
> >>
> >> I.e. null-ify the cached session id in Session.
> >>
> >>
> >> On Wed, Apr 4, 2012 at 10:57 AM, Thomas Rohde <t...@ordix.de> wrote:
> >> > Hi Martin,
> >> >
> >> > see inline.
> >> >
> >> > Thanks!
> >> > Thomas
> >> >
> >> > -----Ursprüngliche Nachricht-----
> >> > Von: Martin Grigorov <mgrigo...@apache.org>
> >> > Gesendet: Mi 04.04.2012 10:26
> >> > Betreff: Re: Wicket session id not up to date due to Tomcat
> >> > session
> >> fixation protection
> >> > An: users@wicket.apache.org;
> >> >> Hi Thomas,
> >> >>
> >> >> On Wed, Apr 4, 2012 at 10:18 AM, Thomas Rohde <t...@ordix.de> wrote:
> >> >> > Hi Martin,
> >> >> >
> >> >> > but the AbstractHttpSesionStore has a SessionBindingListener which
> stores
> >> the
> >> >> session id and the Session class has an id member variable.
> >> >>
> >> >> This is improved in 6.x and the session is taken from the passed
> >> >> event. I can backport it to 1.5.x too.
> >> >
> >> > Please take a look at this. I put some log statements in the session
> >> > class.
> >> For me the lookup method looks weird. Take a look at the following code:
> >> >
> >> > public Session lookup(Request request) {
> >> > String sessionId = getSessionId(request, false);
> >> > LOG.debug("AbstractHttpSessionStore#lookup() [sessionId={}]",
> >> > sessionId);
> >> > if (sessionId != null) {
> >> > WebRequest webRequest = toWebRequest(request);
> >> > Session session = (Session)getAttribute(webRequest,
> >> Session.SESSION_ATTRIBUTE_NAME);
> >> > LOG.debug("AbstractHttpSessionStore#lookup() [getAttribute()={}]
> >> [session={}]",
> >> > (null != session) ? session.getId() : "null", session);
> >> > return session;
> >> > }
> >> > return null;
> >> > }
> >> >
> >> > The first log output produces
> >> > AbstractHttpSessionStore#lookup()
> [sessionId=A8F69FB8C2119439FC90CFD647115D51]
> >> >
> >> > The second produces the following
> >> > AbstractHttpSessionStore#lookup()
> >> [getAttribute()=9F4CECDC89947EFEF5B7646F6600A8B8]
> >> [session=de.postbank.ucp.application.face.session.FaceWebSession@3cf08d9e]
> >> >
> >> > The getAttribute resolves the session object but the session id within
> >> > the
> >> session object is not the same as the session id from getSessionId(request,
> >> false) which is the one of the httpSession object from the underlying web
> >> container. Can you explain this to me?
> >> >
> >> >>
> >> >> >
> >> >> > The getId() implementation of the Session class uses the following
> logic:
> >> >> >
> >> >> > if (id == null)
> >> >> > id = getSessionStore().getSessionId(RequestCycle.get().getRequest(),
> >> false);
> >> >> >
> >> >> > After our login procedure Session.getId() is never equal to
> >> >> httpSession.getId()
> >> >>
> >> >> This deserves a ticket - the 'id' member should be reset to 'null' in
> >> >> #replaceSession().
> >> >
> >> > I tested it via reflection, but did not solve the problem.
> >> >
> >> >>
> >> >> Please file a ticket.
> >> >>
> >> >> >
> >> >> > Thomas
> >> >> >
> >> >> > -----Ursprüngliche Nachricht-----
> >> >> > Von: Martin Grigorov <mgrigo...@apache.org>
> >> >> > Gesendet: Mi 04.04.2012 09:39
> >> >> > Betreff: Re: Wicket session id not up to date due to Tomcat
> session
> >> >> fixation protection
> >> >> > An: users@wicket.apache.org;
> >> >> >> Hi Thomas,
> >> >> >>
> >> >> >> Wicket doesn't store anything in its session store.
> >> >> >> It always uses the currently active http session to get the id.
> >> >> >> See
> >> >> >>
> >> >>
> >>
> org.apache.wicket.protocol.http.AbstractHttpSessionStore#getSessionId(Request,
> >> >> >> boolean)
> >> >> >>
> >> >> >> On Wed, Apr 4, 2012 at 9:27 AM, Thomas Rohde <t...@ordix.de> wrote:
> >> >> >> > Hi!
> >> >> >> >
> >> >> >> > We are using Wicket 1.4.20 and Tomcat 7.0.21.
> >> >> >> >
> >> >> >> > After form based authentication (configured in web.xml) we call
> >> >> >> wicketSession.replaceSession() in the constructor of our base page
> >> >> >> and
> >> send a
> >> >> >> redirect to our welcome page. Due to tomcat's session fixation
> protection
> >> the
> >> >> >> session id changes for some times. After rendering the welcome page
> >> >> >> the
> >> >> session
> >> >> >> id stored in wicket's session store is not equal to the JSESSIONID.
> >> >> >> >
> >> >> >> > Are we doing anything wrong? Any idea?
> >> >> >> >
> >> >> >> > Regards,
> >> >> >> > Thomas
> >> >> >> >
> >> >> >> > ---------------------------------------------------------------------
> >> >> >> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> >> >> >> > For additional commands, e-mail: users-h...@wicket.apache.org
> >> >> >> >
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> Martin Grigorov
> >> >> >> jWeekend
> >> >> >> Training, Consulting, Development
> >> >> >> http://jWeekend.com
> >> >> >>
> >> >> >> ---------------------------------------------------------------------
> >> >> >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> >> >> >> For additional commands, e-mail: users-h...@wicket.apache.org
> >> >> >>
> >> >> >>
> >> >> >
> >> >> > ---------------------------------------------------------------------
> >> >> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> >> >> > For additional commands, e-mail: users-h...@wicket.apache.org
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Martin Grigorov
> >> >> jWeekend
> >> >> Training, Consulting, Development
> >> >> http://jWeekend.com
> >> >>
> >> >> ---------------------------------------------------------------------
> >> >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> >> >> For additional commands, e-mail: users-h...@wicket.apache.org
> >> >>
> >> >>
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> >> > For additional commands, e-mail: users-h...@wicket.apache.org
> >> >
> >>
> >>
> >>
> >> --
> >> Martin Grigorov
> >> jWeekend
> >> Training, Consulting, Development
> >> http://jWeekend.com
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> >> For additional commands, e-mail: users-h...@wicket.apache.org
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> > For additional commands, e-mail: users-h...@wicket.apache.org
> >
>
>
>
> --
> Martin Grigorov
> jWeekend
> Training, Consulting, Development
> http://jWeekend.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
