Hi, See the Tomcat 7/8 hint at the bottom. GF4 should support that already.
Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Fri, Dec 4, 2015 at 8:02 PM, Lois GreeneHernandez < lgreenehernan...@knoa.com> wrote: > Actually we're using glassfish 4 and it's a good question, but I don't > know if we configured it to not use jsessionid? I'll research that. > > Thanks for your input. > > Lois > > -----Original Message----- > From: Sven Meier [mailto:s...@meiers.net] > Sent: Friday, December 04, 2015 12:43 PM > To: users@wicket.apache.org > Subject: Re: jsession id in url > > Hi, > > did you configure Tomcat to not use jsessionid? > > > http://stackoverflow.com/questions/962729/is-it-possible-to-disable-jsessionid-in-tomcat-servlet > > Regards > Sven > > On 04.12.2015 17:03, Lois GreeneHernandez wrote: > > Hi All, > > > > I was tasked with modifying a wicket6/glassfish4 application so that the > session id changes as soon as a user logs in. This is to avoid the problem > of Session Fixation. I used the replaceSession() method (from the wicket > Session class), which does a destroy(); and a bind();. replaceSession(). > It seem to do the trick as the session id does indeed change. The problem > is that now we see a jsessionid in the url everytime we initially log on. > The id goes away after you log in and only appears on the initial launch. > > > > My question is, is there a way to ensure that no jessionid appears in > the url AND that the session id changes? Any advice would be greatly > appreciated. > > > > Thanks > > > > Lois > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >