Martin Grigorov created WICKET-5775:
---------------------------------------
Summary: Replace the session upon successful signin for better
support for Session Fixation
Key: WICKET-5775
URL: https://issues.apache.org/jira/browse/WICKET-5775
Project: Wicket
Issue Type: Improvement
Components: wicket-auth-roles
Affects Versions: 7.0.0-M4, 6.18.0
Reporter: Martin Grigorov
Assignee: Martin Grigorov
Priority: Minor
See http://markmail.org/message/twbipkcmc5v6rto7:
--------------------------------
Hi all,
during implementing the login a my current project I came across
WICKET-1767[1] which deals with session fixation problems, but to my
surprise it looks like the newly created method is not called
automatically by Wicket. If I search the code base for
"replaceSession(" I only get one result, the method itself.
Is there any reason why Wicket doesn't call the method automatically?
Looks to me like AuthenticatedWebSession.signIn would be a good place
to call it automatically. When should I call it instead, at the
beginning of AuthenticatedWebSession.authenticate? This would prevent
session fixation even if exception got throw during the authentication
itself for any reason.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
