Yes, I agree. Thanks for clarifying. :) On Mon, Mar 12, 2012 at 7:40 AM, Hielke Hoeve <[email protected]>wrote:
> Dan, > > JSESSIONIDs are not inherently secure. Users can be so dumb as to > copy/paste an url with an JSESSIONID as query parameter and send it to > someone else via email/msn/etc. When that other person clicks the url, > while the first person is logged in, he is logged in as well. > Webapplications should always invalidate the wicket session before > authenticating. (use Session.get().replaceSession() ) > > See also: http://www.owasp.org/index.php/Session_Fixation > > Hielke > > -----Original Message----- > From: Dan Retzlaff [mailto:[email protected]] > Sent: maandag 5 maart 2012 3:53 > To: [email protected] > Subject: Re: Wicket authentication: how to store user? > > Paolo, sessions are accessed with a JSESSIONID cookie or query parameter > supplied with each request. It's not possible for one user to guess another > user's session ID, so the approach Martin describes is inherently secure. > (Just be careful with your authentication code and form/query parameter > validation elsewhere in your app!) > > Dan > > On Sat, Mar 3, 2012 at 4:40 AM, Paolo <[email protected]> wrote: > > > Alle sabato 03 marzo 2012, Martin Grigorov ha scritto: > > > Hi, > > > > > > Save the logged in user id in the Session. > > > > > > MySession.java: > > > > > > private long userId; > > > > > > public User getUser() { > > > return userService.getUserById(userId); } > > > > > > > > > AnyPage.java: > > > user = MySession.get().getUser(); > > > > > Thank you, for support and explanation code, very useful because I am a > > newbie. > > Just one another answer: Is it secure? > > Can someone alter session data and change user data, so an hacher could > > log with own account but operate with other accounts? > > Do I need some random code like this "hdfds6yh6yhgtruifh4hf4frh9ruehfe" > to > > store temporanealy in session and database and associate it to a specific > > user? > > > > > > I added registration and user/password sign-in and checking with > > database, instead of simple "wicket" as user and password. > > > > All works ok, but now I need in AdminPage to known which user is > > logged in. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
