hhaider February 2016

Wicket invalidateNow() deletes other session cookies

I'm running Wicket 6.15, and I've noticed weird behavior when invalidating the user's session.

Upon calling WebSession.get().invalidateNow(), I'm expecting JSESSIONID session cookie to get deleted.

I've noticed that JSESSIONID indeed gets deleted by getting an http response header that sets the cookie's expiry to 0.

I've noticed that this is not limited to the JSESSIONID, but it also deletes all other session cookies.

Is there a way to change this behavior so that WebSession.get().invalidateNow() only deletes JSESSIONID cookie, and leaves other session cookies intact?

Answers


martin-g February 2016

Wicket doesn't manage JSESSIONID, nor any other cookie created by application. Session#invalidate() and Session#invalidateNow() just delegate to javax.servlet.HttpSession#invalidate() method, i.e. the web container manages JSESSIONID.

Post Status

Asked in February 2016
Viewed 2,817 times
Voted 14
Answered 1 times

Search




Leave an answer