[
https://issues.apache.org/jira/browse/WICKET-6432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16124879#comment-16124879
]
Martin Grigorov commented on WICKET-6432:
-----------------------------------------
bq. I'll have to verify, but it seems Jetty is using two different sessions for
Http and HTTPS respectively.
Yes, this is expected!
If the first session is created in HTTPS request then this session cannot be
shared with HTTP requests and a new http session is created for them.
> SignInPanel causes infinite redirect loop if session id is suppressed in URL
> ----------------------------------------------------------------------------
>
> Key: WICKET-6432
> URL: https://issues.apache.org/jira/browse/WICKET-6432
> Project: Wicket
> Issue Type: Bug
> Components: wicket-auth-roles
> Affects Versions: 7.8.0
> Reporter: Simon Erhardt
> Assignee: Martin Grigorov
> Attachments: redirect-loop.zip
>
>
> The attached, very simple quickstart causes an infinite redirection loop. It
> consists of a _AuthenticatedPage_, which is annotated by
> _@AuthorizeInstantiation_, and a _LoginPage_, using a SingInPanel, which is
> set up as home page.
> The trouble begins if one opens the HTTP URL after signing in with HTTPS.
> It happens only if Jetty is forced to suppress the session id as URL
> parameter (see [Jetty 9.2.X
> documentation|http://www.eclipse.org/jetty/documentation/9.2.22.v20170531/session-management.html#setting-session-characteristics]):
> {code}
> WebAppContext bb = new WebAppContext();
> // The following line causes the trouble
>
> bb.setInitParameter("org.eclipse.jetty.servlet.SessionIdPathParameterName",
> "none");
> {code}
> Steps to reproduce:
> # Start the application in test/java/quickstart/Start
> # Open https://localhost:8443
> # Sign in using "user" and "password"
> # After redirected to the AuthenticatedPage, open http://localhost:8080
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
