You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently PrimeExceptionHandler and PrimeExceptionHandlerELResolver use ExternalContext#getSessionMap to retrieve the session map. This triggers session creation if it doesn't exist, and it's bad for two reasons:
if the response is already commited, trying to create a session causes an exception
if the user want stateless mode (f:view transient="true")
Those classes should check session existence before using the session map.
Some alternatives I thought about:
using ClientWindow as suggested by @tandraschko -> still needs session if i'm not wrong
using Flash -> will fail if the response is already commited
sending exception info as encoded url params -> is it safe?
saving exception infos in the application map using a random id and send the id as a url param -> how and when the map will be cleaned?
Any thoughts?
The text was updated successfully, but these errors were encountered:
A possible implementation could use "crypto tokens".
Create an in-memory AES256 global key when PF starts.
Use this to AES256-GCM protect your URL params or cookie value or whatever you think that needs to be secured.
Advantage here is that you don't have to worry about your security token "lifecycle", i.e., no server-side map risks of being saturated.
we need this, Independent of your exception. Session doesnt work well with multiple tabs.
doesnt fix it
stacktrace in url param? -1
possible, i wont invest any time here. A user doesnt need exception to be displayed anyway, its just a nice gimmick. Generic error page should be enough - at least in production.
I'll give it a try with null check + client window
(another idea: we could skip creating and saving ExceptionInfo if PrimeExceptionHandlerELResolver isn't enabled, but I'm not sure if there's a way to check the available el resolvers)
As discussed on discord (https://discord.com/channels/787967399105134612/787967662293909524/1225465731215392838)
Currently PrimeExceptionHandler and PrimeExceptionHandlerELResolver use ExternalContext#getSessionMap to retrieve the session map. This triggers session creation if it doesn't exist, and it's bad for two reasons:
f:view transient="true"
)Those classes should check session existence before using the session map.
Some alternatives I thought about:
Any thoughts?
The text was updated successfully, but these errors were encountered: