[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[
https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16093706#comment-16093706
]
Kamil commented on WICKET-6416:
---
I'll do, but I must also configure wicket-spring-boot, wicket-bootstrap etc ;)
> AuthenticatedWebSession doesn't follow OWASP guidelines
> ---
>
> Key: WICKET-6416
> URL: https://issues.apache.org/jira/browse/WICKET-6416
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
>Affects Versions: 8.0.0-M6
>Reporter: Kamil
>Priority: Minor
>
> As
> [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)]
> states, new JSESSIONID should always be created after successful
> authentication.
> Currently AuthenticatedWebSession in "signIn" method calls "bind()" where
> session is created only if
> {code}
> if (store.lookup(request) == null)
> {
> // explicitly create a session
> id = store.getSessionId(request, true);
> // bind it
> store.bind(request, this);
> }
> {code}
> which doesn't follow OWASP guidelines and causes security threat
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[
https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16093701#comment-16093701
]
Martin Grigorov commented on WICKET-6416:
-
Please use http://wicket.apache.org/start/quickstart.html
> AuthenticatedWebSession doesn't follow OWASP guidelines
> ---
>
> Key: WICKET-6416
> URL: https://issues.apache.org/jira/browse/WICKET-6416
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
>Affects Versions: 8.0.0-M6
>Reporter: Kamil
>Priority: Minor
>
> As
> [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)]
> states, new JSESSIONID should always be created after successful
> authentication.
> Currently AuthenticatedWebSession in "signIn" method calls "bind()" where
> session is created only if
> {code}
> if (store.lookup(request) == null)
> {
> // explicitly create a session
> id = store.getSessionId(request, true);
> // bind it
> store.bind(request, this);
> }
> {code}
> which doesn't follow OWASP guidelines and causes security threat
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[
https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16093692#comment-16093692
]
Kamil commented on WICKET-6416:
---
As soon as I manage to find time to prepare your "quickstart" with my
configuration, because I still have about 7 reproducible bugs to show you ;)
> AuthenticatedWebSession doesn't follow OWASP guidelines
> ---
>
> Key: WICKET-6416
> URL: https://issues.apache.org/jira/browse/WICKET-6416
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
>Affects Versions: 8.0.0-M6
>Reporter: Kamil
>Priority: Minor
>
> As
> [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)]
> states, new JSESSIONID should always be created after successful
> authentication.
> Currently AuthenticatedWebSession in "signIn" method calls "bind()" where
> session is created only if
> {code}
> if (store.lookup(request) == null)
> {
> // explicitly create a session
> id = store.getSessionId(request, true);
> // bind it
> store.bind(request, this);
> }
> {code}
> which doesn't follow OWASP guidelines and causes security threat
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[
https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16093687#comment-16093687
]
Martin Grigorov commented on WICKET-6416:
-
Pull Requests are welcome!
> AuthenticatedWebSession doesn't follow OWASP guidelines
> ---
>
> Key: WICKET-6416
> URL: https://issues.apache.org/jira/browse/WICKET-6416
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
>Affects Versions: 8.0.0-M6
>Reporter: Kamil
>Priority: Minor
>
> As
> [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)]
> states, new JSESSIONID should always be created after successful
> authentication.
> Currently AuthenticatedWebSession in "signIn" method calls "bind()" where
> session is created only if
> {code}
> if (store.lookup(request) == null)
> {
> // explicitly create a session
> id = store.getSessionId(request, true);
> // bind it
> store.bind(request, this);
> }
> {code}
> which doesn't follow OWASP guidelines and causes security threat
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[
https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16093676#comment-16093676
]
Kamil commented on WICKET-6416:
---
[~mgrigorov], so maybe it is worth to mention it in documentation (section
22.1.3, listing 2) that:
{code}
if(authResult){
session.replaceSession(); //if you want to follow OWASP guidelines
continueToOriginalDestination();
}
{code}
> AuthenticatedWebSession doesn't follow OWASP guidelines
> ---
>
> Key: WICKET-6416
> URL: https://issues.apache.org/jira/browse/WICKET-6416
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
>Affects Versions: 8.0.0-M6
>Reporter: Kamil
>Priority: Minor
>
> As
> [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)]
> states, new JSESSIONID should always be created after successful
> authentication.
> Currently AuthenticatedWebSession in "signIn" method calls "bind()" where
> session is created only if
> {code}
> if (store.lookup(request) == null)
> {
> // explicitly create a session
> id = store.getSessionId(request, true);
> // bind it
> store.bind(request, this);
> }
> {code}
> which doesn't follow OWASP guidelines and causes security threat
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[
https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16077937#comment-16077937
]
Martin Grigorov commented on WICKET-6416:
-
The ticket is WICKET-5775.
I think we should not do it even for Wicket 8.0.
This broke several scenaria and brung no big benefit.
Each application can call #replaceSession() after successful authentication if
it is safe to be done.
> AuthenticatedWebSession doesn't follow OWASP guidelines
> ---
>
> Key: WICKET-6416
> URL: https://issues.apache.org/jira/browse/WICKET-6416
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
>Affects Versions: 8.0.0-M6
>Reporter: Kamil
>Priority: Minor
>
> As
> [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)]
> states, new JSESSIONID should always be created after successful
> authentication.
> Currently AuthenticatedWebSession in "signIn" method calls "bind()" where
> session is created only if
> {code}
> if (store.lookup(request) == null)
> {
> // explicitly create a session
> id = store.getSessionId(request, true);
> // bind it
> store.bind(request, this);
> }
> {code}
> which doesn't follow OWASP guidelines and causes security threat
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[
https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16077071#comment-16077071
]
Kamil commented on WICKET-6416:
---
But with the new release of Wicket - you can do that change! :)
> AuthenticatedWebSession doesn't follow OWASP guidelines
> ---
>
> Key: WICKET-6416
> URL: https://issues.apache.org/jira/browse/WICKET-6416
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
>Affects Versions: 8.0.0-M6
>Reporter: Kamil
>Priority: Minor
>
> As
> [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)]
> states, new JSESSIONID should always be created after successful
> authentication.
> Currently AuthenticatedWebSession in "signIn" method calls "bind()" where
> session is created only if
> {code}
> if (store.lookup(request) == null)
> {
> // explicitly create a session
> id = store.getSessionId(request, true);
> // bind it
> store.bind(request, this);
> }
> {code}
> which doesn't follow OWASP guidelines and causes security threat
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[
https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16075931#comment-16075931
]
Martin Grigorov commented on WICKET-6416:
-
I believe this has been done once and it broke some applications and then has
been reverted. Someone has to find the old ticket.
> AuthenticatedWebSession doesn't follow OWASP guidelines
> ---
>
> Key: WICKET-6416
> URL: https://issues.apache.org/jira/browse/WICKET-6416
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
>Affects Versions: 8.0.0-M6
>Reporter: Kamil
>Priority: Minor
>
> As
> [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)]
> states, new JSESSIONID should always be created after successful
> authentication.
> Currently AuthenticatedWebSession in "signIn" method calls "bind()" where
> session is created only if
> {code}
> if (store.lookup(request) == null)
> {
> // explicitly create a session
> id = store.getSessionId(request, true);
> // bind it
> store.bind(request, this);
> }
> {code}
> which doesn't follow OWASP guidelines and causes security threat
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[
https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16073499#comment-16073499
]
Kamil commented on WICKET-6416:
---
By the way - is it intended that even if I have stateless page
(setStatelessHint(true), setVersioned(false), page.isPageStateless() returns
true) the JSESSIONID is the same on each page refresh?
> AuthenticatedWebSession doesn't follow OWASP guidelines
> ---
>
> Key: WICKET-6416
> URL: https://issues.apache.org/jira/browse/WICKET-6416
> Project: Wicket
> Issue Type: Bug
> Components: wicket
>Affects Versions: 8.0.0-M6
>Reporter: Kamil
>
> As
> [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)]
> states, new JSESSIONID should always be created after successful
> authentication.
> Currently AuthenticatedWebSession in "signIn" method calls "bind()" where
> session is created only if
> {code}
> if (store.lookup(request) == null)
> {
> // explicitly create a session
> id = store.getSessionId(request, true);
> // bind it
> store.bind(request, this);
> }
> {code}
> which doesn't follow OWASP guidelines and causes security threat
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
