[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[ https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16093706#comment-16093706 ] Kamil commented on WICKET-6416: --- I'll do, but I must also configure wicket-spring-boot, wicket-bootstrap etc ;) > AuthenticatedWebSession doesn't follow OWASP guidelines > --- > > Key: WICKET-6416 > URL: https://issues.apache.org/jira/browse/WICKET-6416 > Project: Wicket > Issue Type: Improvement > Components: wicket >Affects Versions: 8.0.0-M6 >Reporter: Kamil >Priority: Minor > > As > [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)] > states, new JSESSIONID should always be created after successful > authentication. > Currently AuthenticatedWebSession in "signIn" method calls "bind()" where > session is created only if > {code} > if (store.lookup(request) == null) > { > // explicitly create a session > id = store.getSessionId(request, true); > // bind it > store.bind(request, this); > } > {code} > which doesn't follow OWASP guidelines and causes security threat -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[ https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16093701#comment-16093701 ] Martin Grigorov commented on WICKET-6416: - Please use http://wicket.apache.org/start/quickstart.html > AuthenticatedWebSession doesn't follow OWASP guidelines > --- > > Key: WICKET-6416 > URL: https://issues.apache.org/jira/browse/WICKET-6416 > Project: Wicket > Issue Type: Improvement > Components: wicket >Affects Versions: 8.0.0-M6 >Reporter: Kamil >Priority: Minor > > As > [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)] > states, new JSESSIONID should always be created after successful > authentication. > Currently AuthenticatedWebSession in "signIn" method calls "bind()" where > session is created only if > {code} > if (store.lookup(request) == null) > { > // explicitly create a session > id = store.getSessionId(request, true); > // bind it > store.bind(request, this); > } > {code} > which doesn't follow OWASP guidelines and causes security threat -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[ https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16093692#comment-16093692 ] Kamil commented on WICKET-6416: --- As soon as I manage to find time to prepare your "quickstart" with my configuration, because I still have about 7 reproducible bugs to show you ;) > AuthenticatedWebSession doesn't follow OWASP guidelines > --- > > Key: WICKET-6416 > URL: https://issues.apache.org/jira/browse/WICKET-6416 > Project: Wicket > Issue Type: Improvement > Components: wicket >Affects Versions: 8.0.0-M6 >Reporter: Kamil >Priority: Minor > > As > [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)] > states, new JSESSIONID should always be created after successful > authentication. > Currently AuthenticatedWebSession in "signIn" method calls "bind()" where > session is created only if > {code} > if (store.lookup(request) == null) > { > // explicitly create a session > id = store.getSessionId(request, true); > // bind it > store.bind(request, this); > } > {code} > which doesn't follow OWASP guidelines and causes security threat -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[ https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16093687#comment-16093687 ] Martin Grigorov commented on WICKET-6416: - Pull Requests are welcome! > AuthenticatedWebSession doesn't follow OWASP guidelines > --- > > Key: WICKET-6416 > URL: https://issues.apache.org/jira/browse/WICKET-6416 > Project: Wicket > Issue Type: Improvement > Components: wicket >Affects Versions: 8.0.0-M6 >Reporter: Kamil >Priority: Minor > > As > [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)] > states, new JSESSIONID should always be created after successful > authentication. > Currently AuthenticatedWebSession in "signIn" method calls "bind()" where > session is created only if > {code} > if (store.lookup(request) == null) > { > // explicitly create a session > id = store.getSessionId(request, true); > // bind it > store.bind(request, this); > } > {code} > which doesn't follow OWASP guidelines and causes security threat -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[ https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16093676#comment-16093676 ] Kamil commented on WICKET-6416: --- [~mgrigorov], so maybe it is worth to mention it in documentation (section 22.1.3, listing 2) that: {code} if(authResult){ session.replaceSession(); //if you want to follow OWASP guidelines continueToOriginalDestination(); } {code} > AuthenticatedWebSession doesn't follow OWASP guidelines > --- > > Key: WICKET-6416 > URL: https://issues.apache.org/jira/browse/WICKET-6416 > Project: Wicket > Issue Type: Improvement > Components: wicket >Affects Versions: 8.0.0-M6 >Reporter: Kamil >Priority: Minor > > As > [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)] > states, new JSESSIONID should always be created after successful > authentication. > Currently AuthenticatedWebSession in "signIn" method calls "bind()" where > session is created only if > {code} > if (store.lookup(request) == null) > { > // explicitly create a session > id = store.getSessionId(request, true); > // bind it > store.bind(request, this); > } > {code} > which doesn't follow OWASP guidelines and causes security threat -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[ https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16077937#comment-16077937 ] Martin Grigorov commented on WICKET-6416: - The ticket is WICKET-5775. I think we should not do it even for Wicket 8.0. This broke several scenaria and brung no big benefit. Each application can call #replaceSession() after successful authentication if it is safe to be done. > AuthenticatedWebSession doesn't follow OWASP guidelines > --- > > Key: WICKET-6416 > URL: https://issues.apache.org/jira/browse/WICKET-6416 > Project: Wicket > Issue Type: Improvement > Components: wicket >Affects Versions: 8.0.0-M6 >Reporter: Kamil >Priority: Minor > > As > [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)] > states, new JSESSIONID should always be created after successful > authentication. > Currently AuthenticatedWebSession in "signIn" method calls "bind()" where > session is created only if > {code} > if (store.lookup(request) == null) > { > // explicitly create a session > id = store.getSessionId(request, true); > // bind it > store.bind(request, this); > } > {code} > which doesn't follow OWASP guidelines and causes security threat -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[ https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16077071#comment-16077071 ] Kamil commented on WICKET-6416: --- But with the new release of Wicket - you can do that change! :) > AuthenticatedWebSession doesn't follow OWASP guidelines > --- > > Key: WICKET-6416 > URL: https://issues.apache.org/jira/browse/WICKET-6416 > Project: Wicket > Issue Type: Improvement > Components: wicket >Affects Versions: 8.0.0-M6 >Reporter: Kamil >Priority: Minor > > As > [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)] > states, new JSESSIONID should always be created after successful > authentication. > Currently AuthenticatedWebSession in "signIn" method calls "bind()" where > session is created only if > {code} > if (store.lookup(request) == null) > { > // explicitly create a session > id = store.getSessionId(request, true); > // bind it > store.bind(request, this); > } > {code} > which doesn't follow OWASP guidelines and causes security threat -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[ https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16075931#comment-16075931 ] Martin Grigorov commented on WICKET-6416: - I believe this has been done once and it broke some applications and then has been reverted. Someone has to find the old ticket. > AuthenticatedWebSession doesn't follow OWASP guidelines > --- > > Key: WICKET-6416 > URL: https://issues.apache.org/jira/browse/WICKET-6416 > Project: Wicket > Issue Type: Improvement > Components: wicket >Affects Versions: 8.0.0-M6 >Reporter: Kamil >Priority: Minor > > As > [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)] > states, new JSESSIONID should always be created after successful > authentication. > Currently AuthenticatedWebSession in "signIn" method calls "bind()" where > session is created only if > {code} > if (store.lookup(request) == null) > { > // explicitly create a session > id = store.getSessionId(request, true); > // bind it > store.bind(request, this); > } > {code} > which doesn't follow OWASP guidelines and causes security threat -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines
[ https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16073499#comment-16073499 ] Kamil commented on WICKET-6416: --- By the way - is it intended that even if I have stateless page (setStatelessHint(true), setVersioned(false), page.isPageStateless() returns true) the JSESSIONID is the same on each page refresh? > AuthenticatedWebSession doesn't follow OWASP guidelines > --- > > Key: WICKET-6416 > URL: https://issues.apache.org/jira/browse/WICKET-6416 > Project: Wicket > Issue Type: Bug > Components: wicket >Affects Versions: 8.0.0-M6 >Reporter: Kamil > > As > [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)] > states, new JSESSIONID should always be created after successful > authentication. > Currently AuthenticatedWebSession in "signIn" method calls "bind()" where > session is created only if > {code} > if (store.lookup(request) == null) > { > // explicitly create a session > id = store.getSessionId(request, true); > // bind it > store.bind(request, this); > } > {code} > which doesn't follow OWASP guidelines and causes security threat -- This message was sent by Atlassian JIRA (v6.4.14#64029)