session management is handled by the servlet container and is outside wicket's control. perhaps you can use a cookie in conjunction with a check in requestcycle.onbeginrequest to do something like what you want...
-igor On Mon, Mar 10, 2008 at 12:43 PM, Zappaterrini, Larry <[EMAIL PROTECTED]> wrote: > Hi Everyone, > > Is it possible to control when Wicket issues a valid session identifier to > the user? The use case I am trying to support is only assign a valid session > id to the user after they successfully authenticate. This is important to > prevent possible session hijacking. When dealing with HTTP sessions directly > you can copy the session contents, invalidate the session, request a new > session, and put the contents of the original session into the new one. I've > browsed through some of Wicket's source code to see if this is easily > accomplished but I haven't been able to figure it out. Does anyone have any > input or suggestions? > > Thanks, > Larry > > > ______________ > > The information contained in this message is proprietary and/or > confidential. If you are not the > intended recipient, please: (i) delete the message and all copies; (ii) do > not disclose, > distribute or use the message in any manner; and (iii) notify the sender > immediately. In addition, > please be aware that any message addressed to our domain is subject to > archiving and review by > persons other than the intended recipient. Thank you. > _____________ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
