Good morning all,
I'm hoping I've misconfigured something in my application, but we seem to be
prone to session stealing in our wicket application. We're using
wicket-auth-roles to provide the security, and if you are able to access the
jsessionid you can get another machine to log straight
scripts that spider your site, ignoring your robots.txt
file--even on private networks.
-Original Message-
From: Andrew Turner [mailto:grim_toas...@hotmail.com]
Sent: Wednesday, December 02, 2009 4:24 AM
To: users@wicket.apache.org
Subject: Session stealing with wicket-auth-roles
Good
on private networks.
-Original Message-
From: Andrew Turner [mailto:grim_toas...@hotmail.com]
Sent: Wednesday, December 02, 2009 4:24 AM
To: users@wicket.apache.org
Subject: Session stealing with wicket-auth-roles
Good morning all,
I'm hoping I've misconfigured something in my
This is not a Wicket issue. However, there is a good discussion on
the topic here:
http://old.nabble.com/JSESSIONID-hijacking-td22492701.html
What application server are you using?
On Wed, Dec 2, 2009 at 4:24 AM, Andrew Turner grim_toas...@hotmail.com wrote:
Good morning all,
I'm hoping
The Seam folks have a fix for removing JSESSIONID from the URLs, too:
http://seamframework.org/Documentation/RemovingJSESSIONIDFromYourURLsAndFixingScache
On Wed, Dec 2, 2009 at 9:31 AM, James Carman
jcar...@carmanconsulting.com wrote:
This is not a Wicket issue. However, there is a good
Thats basically the same code as on
http://randomcoder.com/articles/jsessionid-considered-harmful.
OWASP also has a good deal to say about sessions:
http://www.owasp.org/index.php/Session_Management
Regards,
Erik.
James Carman wrote:
The Seam folks have a fix for removing JSESSIONID
[mailto:grim_toas...@hotmail.com]
Gesendet: Mittwoch, 2. Dezember 2009 10:24
An: users@wicket.apache.org
Betreff: Session stealing with wicket-auth-roles
Good morning all,
I'm hoping I've misconfigured something in my application, but we seem to be
prone to session stealing in our wicket
2009/12/2 Andrew Turner grim_toas...@hotmail.com:
Good morning all,
I'm hoping I've misconfigured something in my application, but we seem to be
prone to session stealing in our wicket application. We're using
wicket-auth-roles to provide the security, and if you are able to access the
is where weblogic gets involved and sets its own secure-cookie. Oh
well, at least now we should be able to prevent people emailing each other
their sessions!
Thanks again.
Andy
From: grim_toas...@hotmail.com
To: users@wicket.apache.org
Subject: Session stealing with wicket-auth-roles
Date: Wed