[ https://issues.apache.org/jira/browse/WICKET-2629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12904182#action_12904182 ]
Daniel Peters commented on WICKET-2629: --------------------------------------- I also think that a Session should only be created in case of a protocol switch. If no switch is neccessary, the RequestCycleProcessor should do nothing... > HttpsRequestCycleProcessor causes HttpSession to be created > ----------------------------------------------------------- > > Key: WICKET-2629 > URL: https://issues.apache.org/jira/browse/WICKET-2629 > Project: Wicket > Issue Type: Bug > Affects Versions: 1.4.4 > Reporter: Damien Hollis > Assignee: Igor Vaynberg > Fix For: 1.4.6 > > > The HttpsRequestCycleProcessor has the following code: > public IRequestTarget resolve(RequestCycle rc, RequestParameters rp) > { > // we need to persist the session before a redirect to https so > the session lasts across > // both http and https calls. > Session.get().bind(); > IRequestTarget target = super.resolve(rc, rp); > return checkSecure(target); > } > The Session.get().bind() causes an HttpSession to be created even if the > target page is stateless. In our application all our pages are https and our > login page is stateless. Because the session is created anyway, we are now > exposed to a DoS attack. > I don't really see why a HttpSession needs to be forced here. If the page is > stateful, then a session will be created anyway. If the current page is > stateless but the user had already navigated stateful pages, then a session > will be present again. Is there a scenario where it is important to for the > session creation? Can a mechanism be provided that will disable this > behaviour? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.