Chris,
If you read the thread carefuly you can extract a quick fix. You'll need
it as the core developers argumented against a quick bugfix release.
Just checkout Wicket from SVN and apply the patch (2 lines in the Wicket
filter). Its a pain, but if you can not wait...
Regards,
Erik.
Chris Lintz wrote:
> Guys has this been resolved?? We have been having some customers complain as
> well (some sending screen shots of others peoples data as proof). Because
> our users click streams are available publically at their control, we had
> thought jsessionids occurring in the click stream were being maliciously
> hijacked. We plugged that hole disallowing any jsessionid to be part of url
> (via Servlet filter) - yes this of course means JavaScript must be enabled.
> This involuntary session sharing is still occurring. We are running release
> 1.3.2.
>
>
>
--
Erik van Oosten
http://day-to-day-stuff.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
