This is not a Wicket issue. However, there is a good discussion on the topic here:
http://old.nabble.com/JSESSIONID-hijacking-td22492701.html What application server are you using? On Wed, Dec 2, 2009 at 4:24 AM, Andrew Turner <[email protected]> wrote: > > > Good morning all, > > I'm hoping I've misconfigured something in my application, but we seem to be > prone to session stealing in our wicket application. We're using > wicket-auth-roles to provide the security, and if you are able to access the > jsessionid you can get another machine to log straight into the application > as the intercepted user. We're using HTTPS for the communication, so > hopefully the likelihood of this occurring is quite small, but we are still > being forced to contemplate rewriting the security layer (which I want to > avoid if possible). > > So, my question, have I misconfigured something, or is it just not possible > to prevent this sort of attack when using wicket-auth-roles? > > I've managed to create a completely stripped-down app that still has the > problem, below is the AuthenticatedWhenSession implementation. > > public class HelloWorldWebSession extends AuthenticatedWebSession { > public HelloWorldWebSession(Request request) { super(request); } > public boolean authenticate(String username, String password) { return > "helloUser".equals(username) && "password".equals(password); } > public Roles getRoles() { return isSignedIn() ? new Roles(Roles.USER) : > null; } > } > > And the simple page: > > @AuthorizeInstantiation("USER") > public class HelloWorldHomePage extends WebPage { } > > And the application: > > public class HelloWorldApplication extends AuthenticatedWebApplication { > protected void init() { > super.init(); > mountBookmarkablePage("home", HelloWorldHomePage.class); > mountBookmarkablePage("signin", SignInPage.class); > } > > protected Class<? extends WebPage> getSignInPageClass() { return > SignInPage.class; } > protected Class<? extends AuthenticatedWebSession> getWebSessionClass() { > return HelloWorldWebSession.class; } > public Class<? extends Page> getHomePage() { return > HelloWorldHomePage.class; } > } > > The URL below, once logged in on one machine, could then be used on multiple > machines to bypass the security layer. > > http://localhost:9090/HelloWorld/home;jsessionid=<SESSION_ID_TAKEN_FROM_URL/COOKIE> > > Many Thanks > Andy > > > _________________________________________________________________ > Add your Gmail and Yahoo! Mail email accounts into Hotmail - it's easy > http://clk.atdmt.com/UKM/go/186394592/direct/01/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
