Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
6.18.0, 7.0.0-M4
-
None
Description
See http://markmail.org/message/twbipkcmc5v6rto7 :
--------------------------------
Hi all,
during implementing the login a my current project I came across
WICKET-1767[1] which deals with session fixation problems, but to my
surprise it looks like the newly created method is not called
automatically by Wicket. If I search the code base for
"replaceSession(" I only get one result, the method itself.
Is there any reason why Wicket doesn't call the method automatically?
Looks to me like AuthenticatedWebSession.signIn would be a good place
to call it automatically. When should I call it instead, at the
beginning of AuthenticatedWebSession.authenticate? This would prevent
session fixation even if exception got throw during the authentication
itself for any reason.
Attachments
Issue Links
- is duplicated by
-
WICKET-6416 AuthenticatedWebSession doesn't follow OWASP guidelines
- Resolved
- relates to
-
WICKET-5845 AuthenticatedWebSession.get() returns a new session with signedIn false
- Resolved