Hi Everyone, Is it possible to control when Wicket issues a valid session identifier to the user? The use case I am trying to support is only assign a valid session id to the user after they successfully authenticate. This is important to prevent possible session hijacking. When dealing with HTTP sessions directly you can copy the session contents, invalidate the session, request a new session, and put the contents of the original session into the new one. I've browsed through some of Wicket's source code to see if this is easily accomplished but I haven't been able to figure it out. Does anyone have any input or suggestions? Thanks, Larry
______________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. _____________
