Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-5775

Replace the session upon successful signin for better support for Session Fixation

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 6.18.0, 7.0.0-M4
    • Fix Version/s: 7.0.0-M5, 6.19.0
    • Component/s: wicket-auth-roles
    • Labels:
      None

      Description

      See http://markmail.org/message/twbipkcmc5v6rto7 :

      --------------------------------
      Hi all,

      during implementing the login a my current project I came across
      WICKET-1767[1] which deals with session fixation problems, but to my
      surprise it looks like the newly created method is not called
      automatically by Wicket. If I search the code base for
      "replaceSession(" I only get one result, the method itself.

      Is there any reason why Wicket doesn't call the method automatically?
      Looks to me like AuthenticatedWebSession.signIn would be a good place
      to call it automatically. When should I call it instead, at the
      beginning of AuthenticatedWebSession.authenticate? This would prevent
      session fixation even if exception got throw during the authentication
      itself for any reason.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mgrigorov Martin Grigorov
                Reporter:
                mgrigorov Martin Grigorov
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: