Description
When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
ExternalLink renders links like <a href="http://www.google.de/">Google</a>
When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.