As long as your shopping cart state is in your Wicket Session (not the HTTP session) you should be okay. Session#replaceSession() invalidates the HTTP session, but immediately binds the Wicket Session object to the new HTTP session. Happy shopper, unhappy attacker. :)
On Mon, Mar 12, 2012 at 12:23 PM, Thomas Götz <[email protected]> wrote: > That's not always feasible - in respect to user experience. Just think of > some order process where e.g. you are asked to log in when doing a > "checkout" (of your shopping cart). > > -Tom > > > Hielke Hoeve wrote: > > > Webapplications should always invalidate the wicket session before > authenticating. (use Session.get().replaceSession() ) > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
