Hi Martin, to me it is not clear what to do now. :-/
There are some frameworks causing errors when changing the jsessionid - but what if they are not used. kind regards Tobias > Am 11.05.2016 um 21:04 schrieb Martin Grigorov <[email protected]>: > > Hi, > > Please consult with > https://issues.apache.org/jira/issues/?jql=project%20%3D%20WICKET%20AND%20text%20~%20replaceSession > In particular: > - https://issues.apache.org/jira/browse/WICKET-5775 > - https://issues.apache.org/jira/browse/WICKET-5845 > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Wed, May 11, 2016 at 6:20 PM, Tobias Soloschenko < > [email protected]> wrote: > >> Hi Maxim, >> >> ah I see the problem, now. :-) >> >> I don't have any idea where to place it in - maybe the others might know >> that. It has to be the place where the session is going to be aquired. the >> sessionid has to be shifted with a new one. >> >> @others: WDYT? >> >> kind regards >> >> Tobias >> >> Am 11.05.16 um 17:02 schrieb Maxim Solodovnik: >> >> Maybe it need to be done inside AbstractAuthenticatedWebSession >>> This way there will be no need in "inventing the weel" ... >>> >>> On Wed, May 11, 2016 at 8:35 PM, Tobias Soloschenko < >>> [email protected]> wrote: >>> >>> Hi Maxim, >>>> >>>> yes it can be used to steal the session, because the first time the id is >>>> within the URL and can be tracked - even if it is a HTTPS connection. >>>> >>>> So the best option to make the connection save is to create a new session >>>> directly and use this sessionid onwards. >>>> >>>> This is a JEE related topic not only a Wicket one. >>>> >>>> kind regards >>>> >>>> Tobias >>>> >>>>> Am 11.05.2016 um 16:01 schrieb Maxim Solodovnik <[email protected]>: >>>>> >>>>> Hello All, >>>>> >>>>> Why I'm asking here: we are using AbstractAuthenticatedWebSession >>>>> >>>>> Recently we have received bug report [1] stating JSESSIONID is not being >>>>> changed after authentication, can this lead to "stolen" login? >>>>> I was unable to manually set this cookie to the known value >>>>> Is this possible? >>>>> >>>>> sorry if I'm writing to the wrong list. >>>>> >>>>> [1] https://issues.apache.org/jira/browse/OPENMEETINGS-1399 >>>>> >>>>> -- >>>>> WBR >>>>> Maxim aka solomax >>
