[
https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998062#comment-12998062
]
Igor Vaynberg commented on WICKET-3469:
---------------------------------------
nevermind, i see. i think martijn is correct, if you do not want to show the
referer - which will contain jsessiond, use a normal link and redirect to the
external url.
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the
> wicket application, e.g.
> http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/";>Google</a>
> When the user clicks on such an external link, the browser puts the current
> URL (including the session id) into the Referrer HTTP header. This is an
> security issue. Instead, the ExternalLink should use a redirect to open the
> external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
