[WICKET-3469] Referrer Leaking with ExternalLink - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.4.15
Fix Version/s: 1.4.17, 1.5-RC3
Component/s: wicket
Labels:
None

Description

When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg

ExternalLink renders links like <a href="http://www.google.de/">Google</a>

When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

WICKET-3469.zip
22/Feb/11 21:54
21 kB
Pedro Santos

Activity

People

Assignee:: Martin Tzvetanov Grigorov

Reporter:: Holger Jaekel

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 22/Feb/11 21:26

Updated:: 27/Feb/11 10:13

Resolved:: 27/Feb/11 10:13