Hi wicket users, we are currently in the process of securing our Wicket-powered application against various attack vectors. One of them is Session Fixation, as described here: http://www.owasp.org/index.php/Session_Fixation
The recommended protection in Java is to invalidate the Session before authenticating the user, with something like this: HttpSession s = request.getSession(false); if (s != null) s.invalidate(); s = request.getSession(true); Invalidating the session can be done with Session.get().invalidate() or invalidateNow(), but that leaves, as far as I can tell, Wicket's Session in a broken state, preventing the login alltogether. Instead of continuing to tamper with Wicket internals, is there a solution available? Regards, Enes F.
