[jira] Commented: (WICKET-2903) CLONE -HttpsRequestCycleProcessor causes HttpSession to be created

Thu, 09 Sep 2010 12:11:56 -0700 

    [ 
https://issues.apache.org/jira/browse/WICKET-2903?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12907734#action_12907734
 ] 

Hudson commented on WICKET-2903:
--------------------------------

Integrated in Apache Wicket 1.5.x #316 (See 
[https://hudson.apache.org/hudson/job/Apache%20Wicket%201.5.x/316/])
    WICKET-2903 CLONE -HttpsRequestCycleProcessor causes HttpSession to be 
created
WICKET-3016 Port to 1.5

Port to 1.5 the https config flag whether to bind the Session before going 
https or not.


> CLONE -HttpsRequestCycleProcessor causes HttpSession to be created
> ------------------------------------------------------------------
>
>                 Key: WICKET-2903
>                 URL: https://issues.apache.org/jira/browse/WICKET-2903
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.4.8
>            Reporter: Tino Kissig
>            Assignee: Igor Vaynberg
>             Fix For: 1.4.11
>
>         Attachments: WICKET-2903.patch
>
>
> The HttpsRequestCycleProcessor has the following code:
>       public IRequestTarget resolve(RequestCycle rc, RequestParameters rp)
>       {
>               // we need to persist the session before a redirect to https so 
> the session lasts across
>               // both http and https calls.
>               Session.get().bind();
>               IRequestTarget target = super.resolve(rc, rp);
>               return checkSecure(target);
>       }
> The Session.get().bind() causes an HttpSession to be created even if the 
> target page is stateless.  In our application all our pages are https and our 
> login page is stateless.  Because the session is created anyway, we are now 
> exposed to a DoS attack.
> I don't really see why a HttpSession needs to be forced here.  If the page is 
> stateful, then a session will be created anyway.  If the current page is 
> stateless but the user had already navigated stateful pages, then a session 
> will be present again.  Is there a scenario where it is important to for the 
> session creation?   Can a mechanism be provided that will disable this 
> behaviour?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to