Hi All, I was tasked with modifying a wicket6/glassfish4 application so that the session id changes as soon as a user logs in. This is to avoid the problem of Session Fixation. I used the replaceSession() method (from the wicket Session class), which does a destroy(); and a bind();. replaceSession(). It seem to do the trick as the session id does indeed change. The problem is that now we see a jsessionid in the url everytime we initially log on. The id goes away after you log in and only appears on the initial launch.
My question is, is there a way to ensure that no jessionid appears in the url AND that the session id changes? Any advice would be greatly appreciated. Thanks Lois
