Hi Still busy looking into it, but using the suggested fix posted by Enes Fazli I notice two strange behaviours:
If I use the default FileSessionStore, the URLs are as per normal, e.g. wicket:2 but if I change to HttpSessionStore then I get an additional "-0" appended, e.g. wicket-0:2 In addition, it appears that the old sessions get invalidated at login time are not cleaned up. Any suggestions/starting points would be most welcome Many thanks Mike -- View this message in context: http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18868111.html Sent from the Wicket - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
