[jira] Commented: (WICKET-3469) Referrer Leaking with ExternalLink

Wed, 23 Feb 2011 08:29:05 -0800 

    [ 
https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998432#comment-12998432
 ] 

Igor Vaynberg commented on WICKET-3469:
---------------------------------------

fwiw this is not going to work either:

 <p>
+ * <strong>Note</strong>: in the case when the support for cookies in the 
browser is disabled the
+ * user's jsessionid will leak in the 'Referrer' header after clicking this 
link. If this is a
+ * problem for the application then better use {@link Link} which redirects to 
the new URL using
+ * {@link RedirectToUrlException}.

the referer will then have the ;jsessionid=ABCD/?wicket:interface=.... url

in order to truly fix this one would have to redirect to a shared stateless 
resource that performs the redirect to the link url

so a link has to redirect to 
/wicket/resource/my-redirect-resource?url=my-final-destination
letting the resource there perform the final redirect and making sure that the 
above url does not have jsessionid in it by either building the url to it 
manually or not passing it through response.encodeurl() method.

this is not trivial, but its also not unique to wicket. all java applications 
have to do this dance if they dont want jsessionid in their urls.

> Referrer Leaking with ExternalLink
> ----------------------------------
>
>                 Key: WICKET-3469
>                 URL: https://issues.apache.org/jira/browse/WICKET-3469
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 1.4.15
>            Reporter: Holger Jaekel
>            Assignee: Martin Grigorov
>             Fix For: 1.4.17, 1.5-RC3
>
>         Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the 
> wicket application, e.g. 
> http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/";>Google</a> 
> When the user clicks on such an external link, the browser puts the current 
> URL (including the session id) into the Referrer HTTP header. This is an 
> security issue. Instead, the ExternalLink should use a redirect to open the 
> external url.

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to