Hi Maxim, yes it can be used to steal the session, because the first time the id is within the URL and can be tracked - even if it is a HTTPS connection.
So the best option to make the connection save is to create a new session directly and use this sessionid onwards. This is a JEE related topic not only a Wicket one. kind regards Tobias > Am 11.05.2016 um 16:01 schrieb Maxim Solodovnik <[email protected]>: > > Hello All, > > Why I'm asking here: we are using AbstractAuthenticatedWebSession > > Recently we have received bug report [1] stating JSESSIONID is not being > changed after authentication, can this lead to "stolen" login? > I was unable to manually set this cookie to the known value > Is this possible? > > sorry if I'm writing to the wrong list. > > [1] https://issues.apache.org/jira/browse/OPENMEETINGS-1399 > > -- > WBR > Maxim aka solomax
