On Tue, Mar 26, 2013 at 4:31 AM, Emond Papegaaij <emond.papega...@topicus.nl > wrote:
> On Monday 25 March 2013 00:59:30 Leonid Bogdanov wrote: > > 3) In my app Apache Shiro framework is integrated via a plugin adapted > > from "fiftyfive-wicket-shiro" project. User credentials are checked in an > > AJAX login form. In order to prevent a session fixation attack there is a > > call to invalidate old and create new session right before credentials > > check: getSession().replaceSession(); // inside > > AjaxFallbackButton.onSubmit() After integration with Atmosphere this code > > no longer works, an exception in thrown on login attempt: > > > <cut IllegalStateException in Session> > I'm not sure what happens here. It seems Wicket tries to read an attribute > from the invalidated session. Does this happen even without a suspended > connected? > I encountered this same issue, and traced it back to the AtmosphereRequest caching and returning the original session, even after it had been invalidated and replaced. I reported it upstream. https://github.com/Atmosphere/atmosphere/pull/1139 Dan