Hi, Please consult with https://issues.apache.org/jira/issues/?jql=project%20%3D%20WICKET%20AND%20text%20~%20replaceSession In particular: - https://issues.apache.org/jira/browse/WICKET-5775 - https://issues.apache.org/jira/browse/WICKET-5845
Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Wed, May 11, 2016 at 6:20 PM, Tobias Soloschenko < [email protected]> wrote: > Hi Maxim, > > ah I see the problem, now. :-) > > I don't have any idea where to place it in - maybe the others might know > that. It has to be the place where the session is going to be aquired. the > sessionid has to be shifted with a new one. > > @others: WDYT? > > kind regards > > Tobias > > Am 11.05.16 um 17:02 schrieb Maxim Solodovnik: > > Maybe it need to be done inside AbstractAuthenticatedWebSession >> This way there will be no need in "inventing the weel" ... >> >> On Wed, May 11, 2016 at 8:35 PM, Tobias Soloschenko < >> [email protected]> wrote: >> >> Hi Maxim, >>> >>> yes it can be used to steal the session, because the first time the id is >>> within the URL and can be tracked - even if it is a HTTPS connection. >>> >>> So the best option to make the connection save is to create a new session >>> directly and use this sessionid onwards. >>> >>> This is a JEE related topic not only a Wicket one. >>> >>> kind regards >>> >>> Tobias >>> >>> Am 11.05.2016 um 16:01 schrieb Maxim Solodovnik <[email protected]>: >>>> >>>> Hello All, >>>> >>>> Why I'm asking here: we are using AbstractAuthenticatedWebSession >>>> >>>> Recently we have received bug report [1] stating JSESSIONID is not being >>>> changed after authentication, can this lead to "stolen" login? >>>> I was unable to manually set this cookie to the known value >>>> Is this possible? >>>> >>>> sorry if I'm writing to the wrong list. >>>> >>>> [1] https://issues.apache.org/jira/browse/OPENMEETINGS-1399 >>>> >>>> -- >>>> WBR >>>> Maxim aka solomax >>>> >>> >> >> >
