Kamil created WICKET-6416:
-----------------------------
Summary: AuthenticatedWebSession doesn't follow OWASP guidelines
Key: WICKET-6416
URL: https://issues.apache.org/jira/browse/WICKET-6416
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 8.0.0-M6
Reporter: Kamil
As
[OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)]
states, new JSESSIONID should always be created after successful
authentication.
Currently AuthenticatedWebSession in "signIn" method calls "bind()" where
session is created only if
{code}
if (store.lookup(request) == null)
{
// explicitly create a session
id = store.getSessionId(request, true);
// bind it
store.bind(request, this);
}
{code}
which doesn't follow OWASP guidelines and causes security threat
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
