Thanks for the links Martin! On Thu, May 12, 2016 at 3:10 AM, Tobias Soloschenko < [email protected]> wrote:
> Hi Martin, > > to me it is not clear what to do now. :-/ > > There are some frameworks causing errors when changing the jsessionid - > but what if they are not used. > > kind regards > > Tobias > > > Am 11.05.2016 um 21:04 schrieb Martin Grigorov <[email protected]>: > > > > Hi, > > > > Please consult with > > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20WICKET%20AND%20text%20~%20replaceSession > > In particular: > > - https://issues.apache.org/jira/browse/WICKET-5775 > > - https://issues.apache.org/jira/browse/WICKET-5845 > > > > Martin Grigorov > > Wicket Training and Consulting > > https://twitter.com/mtgrigorov > > > > On Wed, May 11, 2016 at 6:20 PM, Tobias Soloschenko < > > [email protected]> wrote: > > > >> Hi Maxim, > >> > >> ah I see the problem, now. :-) > >> > >> I don't have any idea where to place it in - maybe the others might know > >> that. It has to be the place where the session is going to be aquired. > the > >> sessionid has to be shifted with a new one. > >> > >> @others: WDYT? > >> > >> kind regards > >> > >> Tobias > >> > >> Am 11.05.16 um 17:02 schrieb Maxim Solodovnik: > >> > >> Maybe it need to be done inside AbstractAuthenticatedWebSession > >>> This way there will be no need in "inventing the weel" ... > >>> > >>> On Wed, May 11, 2016 at 8:35 PM, Tobias Soloschenko < > >>> [email protected]> wrote: > >>> > >>> Hi Maxim, > >>>> > >>>> yes it can be used to steal the session, because the first time the > id is > >>>> within the URL and can be tracked - even if it is a HTTPS connection. > >>>> > >>>> So the best option to make the connection save is to create a new > session > >>>> directly and use this sessionid onwards. > >>>> > >>>> This is a JEE related topic not only a Wicket one. > >>>> > >>>> kind regards > >>>> > >>>> Tobias > >>>> > >>>>> Am 11.05.2016 um 16:01 schrieb Maxim Solodovnik < > [email protected]>: > >>>>> > >>>>> Hello All, > >>>>> > >>>>> Why I'm asking here: we are using AbstractAuthenticatedWebSession > >>>>> > >>>>> Recently we have received bug report [1] stating JSESSIONID is not > being > >>>>> changed after authentication, can this lead to "stolen" login? > >>>>> I was unable to manually set this cookie to the known value > >>>>> Is this possible? > >>>>> > >>>>> sorry if I'm writing to the wrong list. > >>>>> > >>>>> [1] https://issues.apache.org/jira/browse/OPENMEETINGS-1399 > >>>>> > >>>>> -- > >>>>> WBR > >>>>> Maxim aka solomax > >> > -- WBR Maxim aka solomax
