Hi Maxim,
ah I see the problem, now. :-)
I don't have any idea where to place it in - maybe the others might know
that. It has to be the place where the session is going to be aquired.
the sessionid has to be shifted with a new one.
@others: WDYT?
kind regards
Tobias
Am 11.05.16 um 17:02 schrieb Maxim Solodovnik:
Maybe it need to be done inside AbstractAuthenticatedWebSession
This way there will be no need in "inventing the weel" ...
On Wed, May 11, 2016 at 8:35 PM, Tobias Soloschenko <
[email protected]> wrote:
Hi Maxim,
yes it can be used to steal the session, because the first time the id is
within the URL and can be tracked - even if it is a HTTPS connection.
So the best option to make the connection save is to create a new session
directly and use this sessionid onwards.
This is a JEE related topic not only a Wicket one.
kind regards
Tobias
Am 11.05.2016 um 16:01 schrieb Maxim Solodovnik <[email protected]>:
Hello All,
Why I'm asking here: we are using AbstractAuthenticatedWebSession
Recently we have received bug report [1] stating JSESSIONID is not being
changed after authentication, can this lead to "stolen" login?
I was unable to manually set this cookie to the known value
Is this possible?
sorry if I'm writing to the wrong list.
[1] https://issues.apache.org/jira/browse/OPENMEETINGS-1399
--
WBR
Maxim aka solomax
