> > 3. I tried setting up the CryptedUrlWebRequestCodingStrategy. This > successfully managed to encrypt the resulting wicket specific URL to > ?x=a325u0234usdajfasdf, but the thing is, the login page now started > expiring again. The reason is that CryptedUrlWebRequestCodingStrategy uses > a > key stored in the session, which has the effect of making all stateless > links stateful again. >
According to the javadoc of CryptedUrlWebRequestCodingStrategy you can set an ICryptFactory using an application-based key rather than a session-based key. This should solve the "looks" of your url while keeping the session stateless. However as the javadoc also mentions this leaves the application open to CSRF attacks. Antoine
