Hello Team Wicket: We are in the process of getting our web application approved for a security clearance.
Two related issues are: 1. The presence of a jsessionid in the url when the application loads 2. Maintaining the same jsessionid cookie after login (Session Fixation) A quick search pointed me to the following two fixes for these issues, respectively: 1. Removing jsessionid from the url: Used for search engine bots - https://cwiki.apache.org/confluence/display/WICKET/SEO+-+Search+Engine+Optimization 2. Invalidating the current session upon authentication and then creating a new session: http://stackoverflow.com/questions/8162646/how-to-refresh-jsessionid-cookie-after-login Both of these tips were posted a while ago, so I wanted to reach out to the community to see if other approaches are recommended. BTW we are using Glassfish 4. Thank you, - ER
