Kamil created WICKET-6416: ----------------------------- Summary: AuthenticatedWebSession doesn't follow OWASP guidelines Key: WICKET-6416 URL: https://issues.apache.org/jira/browse/WICKET-6416 Project: Wicket Issue Type: Bug Components: wicket Affects Versions: 8.0.0-M6 Reporter: Kamil
As [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)] states, new JSESSIONID should always be created after successful authentication. Currently AuthenticatedWebSession in "signIn" method calls "bind()" where session is created only if {code} if (store.lookup(request) == null) { // explicitly create a session id = store.getSessionId(request, true); // bind it store.bind(request, this); } {code} which doesn't follow OWASP guidelines and causes security threat -- This message was sent by Atlassian JIRA (v6.4.14#64029)