but all actions on bookmarkable pages have session relative urls, which makes guessing the correct URL still problematic.
Martijn On Thu, Aug 7, 2008 at 3:16 PM, Erik van Oosten <[EMAIL PROTECTED]> wrote: > > Johan Compagner wrote: >> ...Which is pretty random. Only if all users would go over the same path >> always to the same page then the id could be guessed. >> > Actually, I do not think that is completely far fetched. In my banking > applications I mostly follow the same path. In some applications there > may be a high change that the guessed path is correct. > Then again, it is easily fixed by starting at a random page version number. > > In addition, many Wicket applications use bookmarkable pages. Easily > avoided if you're worried about CSRF of course. > > Regards, > Erik. > > -- > Erik van Oosten > http://day-to-day-stuff.blogspot.com/ > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Become a Wicket expert, learn from the best: http://wicketinaction.com Apache Wicket 1.3.4 is released Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
