I just found this article mentioned in a post while browsing other mailing lists referencing Wicket...
http://www2.csoonline.com/exclusives/column.html?CID=33395 It provides the case for wicket's relative to session urls: A more sophisticated defense involves making sure the bad guys won't have > the exact command to execute an action on the target website. "Essentially > what the developer is trying to do is make sure the request is > unpredictable," Grossman says. "The same request I use to do a wire transfer > will not be identical to one you make." Typically this would involve > generating cryptographic tokens for each user. > Martijn -- Buy Wicket in Action: http://manning.com/dashorst Apache Wicket 1.3.0 is released Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3.0
