[
https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16073499#comment-16073499
]
Kamil commented on WICKET-6416:
-------------------------------
By the way - is it intended that even if I have stateless page
(setStatelessHint(true), setVersioned(false), page.isPageStateless() returns
true) the JSESSIONID is the same on each page refresh?
> AuthenticatedWebSession doesn't follow OWASP guidelines
> -------------------------------------------------------
>
> Key: WICKET-6416
> URL: https://issues.apache.org/jira/browse/WICKET-6416
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 8.0.0-M6
> Reporter: Kamil
>
> As
> [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)]
> states, new JSESSIONID should always be created after successful
> authentication.
> Currently AuthenticatedWebSession in "signIn" method calls "bind()" where
> session is created only if
> {code}
> if (store.lookup(request) == null)
> {
> // explicitly create a session
> id = store.getSessionId(request, true);
> // bind it
> store.bind(request, this);
> }
> {code}
> which doesn't follow OWASP guidelines and causes security threat
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
