Re: Password in url after page recreation
Hi Claudia,
I have never seen this in our applications - we always use a form POST to
submit user login details.
The only reason I can think of that would lead to your case is when you set
the form to submit using a GET request. That would put the fields in the
URL and thus in wicket’s page parameters, which are reused
when recreateBookmarkablePagesAfterExpiry is true and the page expired.
Did you by any chance specify a method=“GET” attribute on your form?
Met vriendelijke groet,
Kind regards,
Bas Gooren
Op 20 juli 2021 bij 21:46:07, Claudia Hirt (claudiabec...@gmx.de) schreef:
> Hi all,
>
> we currenlty facing some issues with the
recreateBookmarkablePagesAfterExpiry option.
> We set this option to true, the user visits the login page and enters
username and password (""). Now the user
waits for the login till the session expires. Wicket forces a page recreate
and append the password into the url (e.G.
http://localhost:8080/app?user:unit:textfield=user:password="password;).
> This seems to be an security issue on our side. Unfortunately we can't
disable the recreateBookmarkablePagesAfterExpiry option due some resource
loading issues.
>
> We already thougth about what we can do to solve this issue, and it seems
to be possible to remove this parameter form the page parameters (which are
called for the rewrite url after an page expires).
> But before we implement this workaround we want to ask you guys if you
already have seen this issue and if yes, if you have any better solutions?
>
> Thanks for your help...
Password in url after page recreation
> Hi all,
>
> we currenlty facing some issues with the recreateBookmarkablePagesAfterExpiry
> option.
> We set this option to true, the user visits the login page and enters
> username and password (""). Now the user waits
> for the login till the session expires. Wicket forces a page recreate and
> append the password into the url (e.G.
> http://localhost:8080/app?user:unit:textfield=user:password="password;).
> This seems to be an security issue on our side. Unfortunately we can't
> disable the recreateBookmarkablePagesAfterExpiry option due some resource
> loading issues.
>
> We already thougth about what we can do to solve this issue, and it seems to
> be possible to remove this parameter form the page parameters (which are
> called for the rewrite url after an page expires).
> But before we implement this workaround we want to ask you guys if you
> already have seen this issue and if yes, if you have any better solutions?
>
> Thanks for your help...
RestartResponseException ajaxbutton
I have two pages (identical) called PageOne and PageTwo, each with a form,
mounted with an UnVersionedUrlMapper.
When I do a RestartResponseException in the submit (via an AjaxButton) to the
same page (from pageOne to pageOne),
the PageOne's constructor is called twice. (onInitialize is called once)
But If I throw RestartResponseException (via an AjaxButton) from pageOne to
pageTwo the PageTwo's constructor is called once or if I throw
RestartResponseException (via a standard Button) from pageOne to pageOne the
pageOne's constructor is called once.
Tested with all the 9.x
Here is the test the UnVersionedUrlMapper # mapHandler
if (requestHandler instanceof ListenerRequestHandler || requestHandler
instanceof BookmarkableListenerRequestHandler) {
return null;
}
else {
return super.mapHandler(requestHandler);
}
Did I miss something or am I misusing RestartResponseException ?
Are the tests in the UnVersionedUrlMapper wrong ?
Thanks for your help.
<>
François
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
