Hi,
1. you can remove the sessionid from the url and have it stored in a cookie
without any change to your app code. This is more of web container setup,
it's not really Wicket who should be handling that. With Servlet 3.0 you can
tell your web container how it should handle it in the web.xml file of your
app like
http://www.e-zest.net/blog/new-session-management-features-in-servlet-3-0/
notice the COOKIE option
Look into having it as "HttpOnly" also, it means the cookie value cannot be
read from JS so you'd want that turned also on to minimize the damage in
case of a XSS vulnerability in your site.
2. Actually Wicket already comes with session fixation protection if you
look in the Session class the method Session.replaceSession() has it
explained in the Javadoc
So say you have a LoginForm with a
public void submit() {
User user = userDao.getUser(username, password);
if(user != null) { //pardon the stupidest authorization
Session.get().replaceSession(); //we're destroying the old session
and recreating a new one - a new sessionid is returned to the user
AppSession newSession = (AppSession) Session.get();
newSession.setUser(user);
} else {
error("Wrong username/pass");
}
}
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/Removing-jessionid-tp4671649p4671650.html
Sent from the Users forum mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
