[ https://issues.apache.org/jira/browse/WICKET-5775?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sven Meier updated WICKET-5775: ------------------------------- Description: See http://markmail.org/message/twbipkcmc5v6rto7 : -------------------------------- Hi all, during implementing the login a my current project I came across WICKET-1767[1] which deals with session fixation problems, but to my surprise it looks like the newly created method is not called automatically by Wicket. If I search the code base for "replaceSession(" I only get one result, the method itself. Is there any reason why Wicket doesn't call the method automatically? Looks to me like AuthenticatedWebSession.signIn would be a good place to call it automatically. When should I call it instead, at the beginning of AuthenticatedWebSession.authenticate? This would prevent session fixation even if exception got throw during the authentication itself for any reason. was: See http://markmail.org/message/twbipkcmc5v6rto7: -------------------------------- Hi all, during implementing the login a my current project I came across WICKET-1767[1] which deals with session fixation problems, but to my surprise it looks like the newly created method is not called automatically by Wicket. If I search the code base for "replaceSession(" I only get one result, the method itself. Is there any reason why Wicket doesn't call the method automatically? Looks to me like AuthenticatedWebSession.signIn would be a good place to call it automatically. When should I call it instead, at the beginning of AuthenticatedWebSession.authenticate? This would prevent session fixation even if exception got throw during the authentication itself for any reason. > Replace the session upon successful signin for better support for Session > Fixation > ---------------------------------------------------------------------------------- > > Key: WICKET-5775 > URL: https://issues.apache.org/jira/browse/WICKET-5775 > Project: Wicket > Issue Type: Improvement > Components: wicket-auth-roles > Affects Versions: 6.18.0, 7.0.0-M4 > Reporter: Martin Grigorov > Assignee: Martin Grigorov > Priority: Minor > Fix For: 7.0.0-M5, 6.19.0 > > > See http://markmail.org/message/twbipkcmc5v6rto7 : > -------------------------------- > Hi all, > during implementing the login a my current project I came across > WICKET-1767[1] which deals with session fixation problems, but to my > surprise it looks like the newly created method is not called > automatically by Wicket. If I search the code base for > "replaceSession(" I only get one result, the method itself. > Is there any reason why Wicket doesn't call the method automatically? > Looks to me like AuthenticatedWebSession.signIn would be a good place > to call it automatically. When should I call it instead, at the > beginning of AuthenticatedWebSession.authenticate? This would prevent > session fixation even if exception got throw during the authentication > itself for any reason. -- This message was sent by Atlassian JIRA (v6.3.4#6332)