Hi Martin,

to me it is not clear what to do now. :-/

There are some frameworks causing errors when changing the jsessionid - but 
what if they are not used.

kind regards

Tobias

> Am 11.05.2016 um 21:04 schrieb Martin Grigorov <[email protected]>:
> 
> Hi,
> 
> Please consult with
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20WICKET%20AND%20text%20~%20replaceSession
> In particular:
> - https://issues.apache.org/jira/browse/WICKET-5775
> - https://issues.apache.org/jira/browse/WICKET-5845
> 
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
> 
> On Wed, May 11, 2016 at 6:20 PM, Tobias Soloschenko <
> [email protected]> wrote:
> 
>> Hi Maxim,
>> 
>> ah I see the problem, now. :-)
>> 
>> I don't have any idea where to place it in - maybe the others might know
>> that. It has to be the place where the session is going to be aquired. the
>> sessionid has to be shifted with a new one.
>> 
>> @others: WDYT?
>> 
>> kind regards
>> 
>> Tobias
>> 
>> Am 11.05.16 um 17:02 schrieb Maxim Solodovnik:
>> 
>> Maybe it need to be done inside AbstractAuthenticatedWebSession
>>> This way there will be no need in "inventing the weel" ...
>>> 
>>> On Wed, May 11, 2016 at 8:35 PM, Tobias Soloschenko <
>>> [email protected]> wrote:
>>> 
>>> Hi Maxim,
>>>> 
>>>> yes it can be used to steal the session, because the first time the id is
>>>> within the URL and can be tracked - even if it is a HTTPS connection.
>>>> 
>>>> So the best option to make the connection save is to create a new session
>>>> directly and use this sessionid onwards.
>>>> 
>>>> This is a JEE related topic not only a Wicket one.
>>>> 
>>>> kind regards
>>>> 
>>>> Tobias
>>>> 
>>>>> Am 11.05.2016 um 16:01 schrieb Maxim Solodovnik <[email protected]>:
>>>>> 
>>>>> Hello All,
>>>>> 
>>>>> Why I'm asking here: we are using AbstractAuthenticatedWebSession
>>>>> 
>>>>> Recently we have received bug report [1] stating JSESSIONID is not being
>>>>> changed after authentication, can this lead to "stolen" login?
>>>>> I was unable to manually set this cookie to the known value
>>>>> Is this possible?
>>>>> 
>>>>> sorry if I'm writing to the wrong list.
>>>>> 
>>>>> [1] https://issues.apache.org/jira/browse/OPENMEETINGS-1399
>>>>> 
>>>>> --
>>>>> WBR
>>>>> Maxim aka solomax
>> 

Reply via email to