Re: Password in url after page recreation
Hi Claudia, I have never seen this in our applications - we always use a form POST to submit user login details. The only reason I can think of that would lead to your case is when you set the form to submit using a GET request. That would put the fields in the URL and thus in wicket’s page parameters, which are reused when recreateBookmarkablePagesAfterExpiry is true and the page expired. Did you by any chance specify a method=“GET” attribute on your form? Met vriendelijke groet, Kind regards, Bas Gooren Op 20 juli 2021 bij 21:46:07, Claudia Hirt (claudiabec...@gmx.de) schreef: > Hi all, > > we currenlty facing some issues with the recreateBookmarkablePagesAfterExpiry option. > We set this option to true, the user visits the login page and enters username and password (""). Now the user waits for the login till the session expires. Wicket forces a page recreate and append the password into the url (e.G. http://localhost:8080/app?user:unit:textfield=user&password:password="password";). > This seems to be an security issue on our side. Unfortunately we can't disable the recreateBookmarkablePagesAfterExpiry option due some resource loading issues. > > We already thougth about what we can do to solve this issue, and it seems to be possible to remove this parameter form the page parameters (which are called for the rewrite url after an page expires). > But before we implement this workaround we want to ask you guys if you already have seen this issue and if yes, if you have any better solutions? > > Thanks for your help...
Password in url after page recreation
> Hi all, > > we currenlty facing some issues with the recreateBookmarkablePagesAfterExpiry > option. > We set this option to true, the user visits the login page and enters > username and password (""). Now the user waits > for the login till the session expires. Wicket forces a page recreate and > append the password into the url (e.G. > http://localhost:8080/app?user:unit:textfield=user&password:password="password";). > This seems to be an security issue on our side. Unfortunately we can't > disable the recreateBookmarkablePagesAfterExpiry option due some resource > loading issues. > > We already thougth about what we can do to solve this issue, and it seems to > be possible to remove this parameter form the page parameters (which are > called for the rewrite url after an page expires). > But before we implement this workaround we want to ask you guys if you > already have seen this issue and if yes, if you have any better solutions? > > Thanks for your help...
RestartResponseException ajaxbutton
I have two pages (identical) called PageOne and PageTwo, each with a form, mounted with an UnVersionedUrlMapper. When I do a RestartResponseException in the submit (via an AjaxButton) to the same page (from pageOne to pageOne), the PageOne's constructor is called twice. (onInitialize is called once) But If I throw RestartResponseException (via an AjaxButton) from pageOne to pageTwo the PageTwo's constructor is called once or if I throw RestartResponseException (via a standard Button) from pageOne to pageOne the pageOne's constructor is called once. Tested with all the 9.x Here is the test the UnVersionedUrlMapper # mapHandler if (requestHandler instanceof ListenerRequestHandler || requestHandler instanceof BookmarkableListenerRequestHandler) { return null; } else { return super.mapHandler(requestHandler); } Did I miss something or am I misusing RestartResponseException ? Are the tests in the UnVersionedUrlMapper wrong ? Thanks for your help. <> François - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org