Candidate fix:

Index: core/src/com/icesoft/faces/webapp/http/core/ReceiveSendUpdates.java
===================================================================
— core/src/com/icesoft/faces/webapp/http/core/ReceiveSendUpdates.java (revision 20655)
+++ core/src/com/icesoft/faces/webapp/http/core/ReceiveSendUpdates.java (working copy)
@@ -61,7 +61,13 @@
} else {
View view = (View) views.get(viewNumber);
if (view == null) {

• request.respondWith(new ReloadResponse(viewNumber));
  + try { + Integer.parseInt(viewNumber); + request.respondWith(new ReloadResponse(viewNumber)); + }

  catch (NumberFormatException e)

  { + LOG.warn("Malformed viewNumber " + viewNumber); + request.respondWith(SessionExpiredResponse.Handler); + }

  } else {
  try {
  view.processPostback(request);

To create fake ICEfaces requests using curl:

curl --cookie /tmp/cookies.txt --cookie-jar /tmp/cookies.txt http://localhost:8080/auctionMonitor/auctionMonitor.iface | fgrep session

Then extract the "session:" parameter and use in the request above for "ice.session".

Assigning to Mircea to review Ted's suggested fix and apply or adjust as required.

The view number is already checked at line 62 in ReceiveSendUpdates.java file. It was implemented already for ICE-5181. Were the fixes for ICE-5181 not working all this time?

Sending back a session expired when view number is not correct is a bit misleading. A 500 error is more appropriate since it describes more appropriately the problem, also the response will shutdown only the bridge instance (window) that made the erroneous request while a session expired message will shutdown all the windows.

As Mircea pointed out, this was already fixed in the trunk but was reported by the customer since the fix was not present in ICEfaces 1.8.2. The change has been reverted.

Duplicate of ICE-5181.