My appologies for the run-around. I was not able to see the updates on the Jira log yesterday from the office, so only managed to read the updates when I got home.
I have implemented the latest suggestion (included below for other interested readers, although I suggest they read the Jira log as well), which works perfectly: /** * Replaces the underlying HTTP Session, invalidating the current one and * creating a new one. * <p> * Call upon login to protect against session fixation. * * @see http://www.owasp.org/index.php/Session_Fixation */ public void invalidateHttpSession() { ((WebRequest)RequestCycle.get().getRequest()).getHttpServletRequest().getSession().invalidate(); bind(); } Many thanks once again for the great work!! Johan Compagner wrote: > > please make a jira issue for this > > On Thu, Aug 7, 2008 at 2:52 PM, RUMikeP <[EMAIL PROTECTED]> wrote: > >> >> Many thanks for the quick response. >> >> The pre-login session files in the temp filestore directory are not >> removed, >> even after the session timeout. All the new sessions are removed as they >> expire, but the ones that are invalidated using the patch below remain >> indefinitely. >> >> >> >> >> >> >> no what you see is that by default the http session store has a new >> window >> browser detection (new pagemap) >> It needs that because of the way pages are stored and rollbacked. >> >> The DiskPageStore doesnt need that it can get all the pages back that it >> wants >> so for that the new window detection is by default not enabled. >> >> Old sessions are not cleand up with the diskpagestore? >> What is not cleaned up? >> >> >> johan >> >> >> -- >> View this message in context: >> http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18869780.html >> Sent from the Wicket - User mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > -- View this message in context: http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18886157.html Sent from the Wicket - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
