[ https://issues.apache.org/jira/browse/WICKET-6432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16118308#comment-16118308 ]
Martin Grigorov commented on WICKET-6432: ----------------------------------------- bq. has to include another Session cookie in the URL This is incorrect statement. There is no way to include a cookie in the url. The cookies are in the headers. Sessions created in HTTPS requests are visible only in any following HTTPS requests. If a cookie is used for tracking then it has "secure=true" and is not read by the browser. If url re-writing is used then the servlet container won't encode it in the urls for HTTP requests. Session created in HTTP request is visible to both HTTP and HTTPS requests. Since I cannot reproduce the problem here - what exactly is the observed behavior ? > SignInPanel causes infinite redirect loop if session id is suppressed in URL > ---------------------------------------------------------------------------- > > Key: WICKET-6432 > URL: https://issues.apache.org/jira/browse/WICKET-6432 > Project: Wicket > Issue Type: Bug > Components: wicket-auth-roles > Affects Versions: 7.8.0 > Reporter: Simon Erhardt > Assignee: Martin Grigorov > Attachments: redirect-loop.zip > > > The attached, very simple quickstart causes an infinite redirection loop. It > consists of a _AuthenticatedPage_, which is annotated by > _@AuthorizeInstantiation_, and a _LoginPage_, using a SingInPanel, which is > set up as home page. > The trouble begins if one opens the HTTP URL after signing in with HTTPS. > It happens only if Jetty is forced to suppress the session id as URL > parameter (see [Jetty 9.2.X > documentation|http://www.eclipse.org/jetty/documentation/9.2.22.v20170531/session-management.html#setting-session-characteristics]): > {code} > WebAppContext bb = new WebAppContext(); > // The following line causes the trouble > > bb.setInitParameter("org.eclipse.jetty.servlet.SessionIdPathParameterName", > "none"); > {code} > Steps to reproduce: > # Start the application in test/java/quickstart/Start > # Open https://localhost:8443 > # Sign in using "user" and "password" > # After redirected to the AuthenticatedPage, open http://localhost:8080 -- This message was sent by Atlassian JIRA (v6.4.14#64029)