[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pedro Santos resolved WICKET-3469. ---------------------------------- Resolution: Not A Problem > Referrer Leaking with ExternalLink > ---------------------------------- > > Key: WICKET-3469 > URL: https://issues.apache.org/jira/browse/WICKET-3469 > Project: Wicket > Issue Type: Bug > Components: wicket > Affects Versions: 1.4.15 > Reporter: Holger Jaekel > Attachments: WICKET-3469.zip > > > When Cookies are turned off, the jsessionid is included in the URL of the > wicket application, e.g. > http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg > ExternalLink renders links like <a href="http://www.google.de/">Google</a> > When the user clicks on such an external link, the browser puts the current > URL (including the session id) into the Referrer HTTP header. This is an > security issue. Instead, the ExternalLink should use a redirect to open the > external url. -- This message is automatically generated by JIRA. - For more information on JIRA, see: http://www.atlassian.com/software/jira