[ https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16075931#comment-16075931 ]
Martin Grigorov commented on WICKET-6416: ----------------------------------------- I believe this has been done once and it broke some applications and then has been reverted. Someone has to find the old ticket. > AuthenticatedWebSession doesn't follow OWASP guidelines > ------------------------------------------------------- > > Key: WICKET-6416 > URL: https://issues.apache.org/jira/browse/WICKET-6416 > Project: Wicket > Issue Type: Improvement > Components: wicket > Affects Versions: 8.0.0-M6 > Reporter: Kamil > Priority: Minor > > As > [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)] > states, new JSESSIONID should always be created after successful > authentication. > Currently AuthenticatedWebSession in "signIn" method calls "bind()" where > session is created only if > {code} > if (store.lookup(request) == null) > { > // explicitly create a session > id = store.getSessionId(request, true); > // bind it > store.bind(request, this); > } > {code} > which doesn't follow OWASP guidelines and causes security threat -- This message was sent by Atlassian JIRA (v6.4.14#64029)