Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-2629

HttpsRequestCycleProcessor causes HttpSession to be created

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Won't Fix
    • 1.4.4
    • 1.4.6
    • None
    • None

    Description

      The HttpsRequestCycleProcessor has the following code:

      public IRequestTarget resolve(RequestCycle rc, RequestParameters rp)

      { // we need to persist the session before a redirect to https so the session lasts across // both http and https calls. Session.get().bind(); IRequestTarget target = super.resolve(rc, rp); return checkSecure(target); }

      The Session.get().bind() causes an HttpSession to be created even if the target page is stateless. In our application all our pages are https and our login page is stateless. Because the session is created anyway, we are now exposed to a DoS attack.

      I don't really see why a HttpSession needs to be forced here. If the page is stateful, then a session will be created anyway. If the current page is stateless but the user had already navigated stateful pages, then a session will be present again. Is there a scenario where it is important to for the session creation? Can a mechanism be provided that will disable this behaviour?

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            ivaynberg Igor Vaynberg
            damien.hollis Damien Hollis
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment