[
https://issues.apache.org/jira/browse/WICKET-2629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12904182#action_12904182
]
Daniel Peters commented on WICKET-2629:
---------------------------------------
I also think that a Session should only be created in case of a protocol switch.
If no switch is neccessary, the RequestCycleProcessor should do nothing...
> HttpsRequestCycleProcessor causes HttpSession to be created
> -----------------------------------------------------------
>
> Key: WICKET-2629
> URL: https://issues.apache.org/jira/browse/WICKET-2629
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 1.4.4
> Reporter: Damien Hollis
> Assignee: Igor Vaynberg
> Fix For: 1.4.6
>
>
> The HttpsRequestCycleProcessor has the following code:
> public IRequestTarget resolve(RequestCycle rc, RequestParameters rp)
> {
> // we need to persist the session before a redirect to https so
> the session lasts across
> // both http and https calls.
> Session.get().bind();
> IRequestTarget target = super.resolve(rc, rp);
> return checkSecure(target);
> }
> The Session.get().bind() causes an HttpSession to be created even if the
> target page is stateless. In our application all our pages are https and our
> login page is stateless. Because the session is created anyway, we are now
> exposed to a DoS attack.
> I don't really see why a HttpSession needs to be forced here. If the page is
> stateful, then a session will be created anyway. If the current page is
> stateless but the user had already navigated stateful pages, then a session
> will be present again. Is there a scenario where it is important to for the
> session creation? Can a mechanism be provided that will disable this
> behaviour?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
