Maybe it need to be done inside AbstractAuthenticatedWebSession This way there will be no need in "inventing the weel" ...
On Wed, May 11, 2016 at 8:35 PM, Tobias Soloschenko < [email protected]> wrote: > Hi Maxim, > > yes it can be used to steal the session, because the first time the id is > within the URL and can be tracked - even if it is a HTTPS connection. > > So the best option to make the connection save is to create a new session > directly and use this sessionid onwards. > > This is a JEE related topic not only a Wicket one. > > kind regards > > Tobias > > > Am 11.05.2016 um 16:01 schrieb Maxim Solodovnik <[email protected]>: > > > > Hello All, > > > > Why I'm asking here: we are using AbstractAuthenticatedWebSession > > > > Recently we have received bug report [1] stating JSESSIONID is not being > > changed after authentication, can this lead to "stolen" login? > > I was unable to manually set this cookie to the known value > > Is this possible? > > > > sorry if I'm writing to the wrong list. > > > > [1] https://issues.apache.org/jira/browse/OPENMEETINGS-1399 > > > > -- > > WBR > > Maxim aka solomax > -- WBR Maxim aka solomax
