which jira issue? -igor
On Tue, Aug 5, 2008 at 7:07 AM, RUMikeP <[EMAIL PROTECTED]> wrote: > > Hi > > I would like to second this request, as I am currently evaluating Rational > AppScan against a small Wicket Reference Application. Session Fixation has > been identified as one of the potential weaknesses, in my application. > > I have just read the discussion on the Jira logs, but hope by adding my > request here, that this could somehow become part of the core in order to > avoid each developer having to implement it in each of their applications. > > Many thanks > Mike > > > > Enes Fazli wrote: >> >> We've invested some more research on this topic because session.invalidate >> didn't work and came up with a solution. We've created a JIRA-Ticket >> regarding this topic to document our solution. >> >> https://issues.apache.org/jira/browse/WICKET-1767 >> >> Regards >> Enes F. >> >> On Wed, Jul 30, 2008 at 5:59 PM, Igor Vaynberg >> <[EMAIL PROTECTED]>wrote: >> >>> doing that should be fine, just make sure that after login you >>> redirect to a bookmarkable url which will then create a new session. >>> >>> so >>> session.invalidate(); >>> loginuser(); >>> setrequesttarget(new bookmarkablepagetarget(...)); >>> getrequest().setredirect(true); >>> >>> -igor >>> >>> On Wed, Jul 30, 2008 at 7:15 AM, Enes Fazli <[EMAIL PROTECTED]> >>> wrote: >>> > Hi wicket users, >>> > >>> > we are currently in the process of securing our Wicket-powered >>> > application against various attack vectors. One of them is Session >>> > Fixation, as described here: >>> > http://www.owasp.org/index.php/Session_Fixation >>> > >>> > The recommended protection in Java is to invalidate the Session before >>> > authenticating the user, with something like this: >>> > >>> > HttpSession s = request.getSession(false); >>> > if (s != null) s.invalidate(); >>> > s = request.getSession(true); >>> > >>> > Invalidating the session can be done with Session.get().invalidate() >>> > or invalidateNow(), but that leaves, as far as I can tell, Wicket's >>> > Session in a broken state, preventing the login alltogether. >>> > >>> > Instead of continuing to tamper with Wicket internals, is there a >>> > solution available? >>> > >>> > Regards, >>> > >>> > Enes F. >>> > >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> >> > > -- > View this message in context: > http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18831890.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
