Chris, If you read the thread carefuly you can extract a quick fix. You'll need it as the core developers argumented against a quick bugfix release. Just checkout Wicket from SVN and apply the patch (2 lines in the Wicket filter). Its a pain, but if you can not wait...
Regards, Erik. Chris Lintz wrote: > Guys has this been resolved?? We have been having some customers complain as > well (some sending screen shots of others peoples data as proof). Because > our users click streams are available publically at their control, we had > thought jsessionids occurring in the click stream were being maliciously > hijacked. We plugged that hole disallowing any jsessionid to be part of url > (via Servlet filter) - yes this of course means JavaScript must be enabled. > This involuntary session sharing is still occurring. We are running release > 1.3.2. > > > -- Erik van Oosten http://day-to-day-stuff.blogspot.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]