[ https://issues.apache.org/jira/browse/WICKET-2903?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12907734#action_12907734 ]
Hudson commented on WICKET-2903: -------------------------------- Integrated in Apache Wicket 1.5.x #316 (See [https://hudson.apache.org/hudson/job/Apache%20Wicket%201.5.x/316/]) WICKET-2903 CLONE -HttpsRequestCycleProcessor causes HttpSession to be created WICKET-3016 Port to 1.5 Port to 1.5 the https config flag whether to bind the Session before going https or not. > CLONE -HttpsRequestCycleProcessor causes HttpSession to be created > ------------------------------------------------------------------ > > Key: WICKET-2903 > URL: https://issues.apache.org/jira/browse/WICKET-2903 > Project: Wicket > Issue Type: Bug > Affects Versions: 1.4.8 > Reporter: Tino Kissig > Assignee: Igor Vaynberg > Fix For: 1.4.11 > > Attachments: WICKET-2903.patch > > > The HttpsRequestCycleProcessor has the following code: > public IRequestTarget resolve(RequestCycle rc, RequestParameters rp) > { > // we need to persist the session before a redirect to https so > the session lasts across > // both http and https calls. > Session.get().bind(); > IRequestTarget target = super.resolve(rc, rp); > return checkSecure(target); > } > The Session.get().bind() causes an HttpSession to be created even if the > target page is stateless. In our application all our pages are https and our > login page is stateless. Because the session is created anyway, we are now > exposed to a DoS attack. > I don't really see why a HttpSession needs to be forced here. If the page is > stateful, then a session will be created anyway. If the current page is > stateless but the user had already navigated stateful pages, then a session > will be present again. Is there a scenario where it is important to for the > session creation? Can a mechanism be provided that will disable this > behaviour? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.