[jira] [Commented] (WICKET-6432) SignInPanel causes infinite redirect loop if session id is suppressed in URL

Tue, 08 Aug 2017 06:05:33 -0700 

    [ 
https://issues.apache.org/jira/browse/WICKET-6432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16118308#comment-16118308
 ] 

Martin Grigorov commented on WICKET-6432:
-----------------------------------------

bq.  has to include another Session cookie in the URL

This is incorrect statement. There is no way to include a cookie in the url. 
The cookies are in the headers.


Sessions created in HTTPS requests are visible only in any following HTTPS 
requests.
If a cookie is used for tracking then it has "secure=true" and is not read by 
the browser.
If url re-writing is used then the servlet container won't encode it in the 
urls for HTTP requests.

Session created in HTTP request is visible to both HTTP and HTTPS requests.

Since I cannot reproduce the problem here - what exactly is the observed 
behavior ?  

> SignInPanel causes infinite redirect loop if session id is suppressed in URL
> ----------------------------------------------------------------------------
>
>                 Key: WICKET-6432
>                 URL: https://issues.apache.org/jira/browse/WICKET-6432
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-auth-roles
>    Affects Versions: 7.8.0
>            Reporter: Simon Erhardt
>            Assignee: Martin Grigorov
>         Attachments: redirect-loop.zip
>
>
> The attached, very simple quickstart causes an infinite redirection loop. It 
> consists of a _AuthenticatedPage_, which is annotated by 
> _@AuthorizeInstantiation_, and a _LoginPage_, using a SingInPanel, which is 
> set up as home page.
> The trouble begins if one opens the HTTP URL after signing in with HTTPS.
> It happens only if Jetty is forced to suppress the session id as URL 
> parameter (see [Jetty 9.2.X 
> documentation|http://www.eclipse.org/jetty/documentation/9.2.22.v20170531/session-management.html#setting-session-characteristics]):
> {code}
>     WebAppContext bb = new WebAppContext();
>     // The following line causes the trouble
>     
> bb.setInitParameter("org.eclipse.jetty.servlet.SessionIdPathParameterName", 
> "none");
> {code}
> Steps to reproduce:
> # Start the application in test/java/quickstart/Start
> # Open https://localhost:8443
> # Sign in using "user" and "password"
> # After redirected to the AuthenticatedPage, open http://localhost:8080



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to