Actually we're using glassfish 4 and it's a good question, but I don't know if we configured it to not use jsessionid? I'll research that.
Thanks for your input. Lois -----Original Message----- From: Sven Meier [mailto:s...@meiers.net] Sent: Friday, December 04, 2015 12:43 PM To: users@wicket.apache.org Subject: Re: jsession id in url Hi, did you configure Tomcat to not use jsessionid? http://stackoverflow.com/questions/962729/is-it-possible-to-disable-jsessionid-in-tomcat-servlet Regards Sven On 04.12.2015 17:03, Lois GreeneHernandez wrote: > Hi All, > > I was tasked with modifying a wicket6/glassfish4 application so that the > session id changes as soon as a user logs in. This is to avoid the problem > of Session Fixation. I used the replaceSession() method (from the wicket > Session class), which does a destroy(); and a bind();. replaceSession(). It > seem to do the trick as the session id does indeed change. The problem is > that now we see a jsessionid in the url everytime we initially log on. The > id goes away after you log in and only appears on the initial launch. > > My question is, is there a way to ensure that no jessionid appears in the url > AND that the session id changes? Any advice would be greatly appreciated. > > Thanks > > Lois > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
