[jira] Created: (WICKET-3469) Referrer Leaking with ExternalLink

Holger Jaekel (JIRA) Tue, 22 Feb 2011 13:27:00 -0800

Referrer Leaking with ExternalLink
----------------------------------

                 Key: WICKET-3469
                 URL: https://issues.apache.org/jira/browse/WICKET-3469
             Project: Wicket
          Issue Type: Bug
          Components: wicket
    Affects Versions: 1.4.15
            Reporter: Holger Jaekel



When Cookies are turned off, the jsessionid is included in the URL of the 
wicket application, e.g. 
http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg

ExternalLink renders links like <a href="http://www.google.de/";>Google</a> 

When the user clicks on such an external link, the browser puts the current URL 
(including the session id) into the Referrer HTTP header. This is an security 
issue. Instead, the ExternalLink should use a redirect to open the external url.

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Created: (WICKET-3469) Referrer Leaking with ExternalLink

Reply via email to