Re: Why doesn't Wicket seem to call Session.replaceSession automatically?
Guten Tag Martin Grigorov, am Montag, 24. November 2014 um 20:44 schrieben Sie: https://issues.apache.org/jira/browse/WICKET-5775 Thanks a lot, I didn't have the time yet to create it on my own. Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Why doesn't Wicket seem to call Session.replaceSession automatically?
Hi all, during implementing the login a my current project I came across WICKET-1767[1] which deals with session fixation problems, but to my surprise it looks like the newly created method is not called automatically by Wicket. If I search the code base for replaceSession( I only get one result, the method itself. Is there any reason why Wicket doesn't call the method automatically? Looks to me like AuthenticatedWebSession.signIn would be a good place to call it automatically. When should I call it instead, at the beginning of AuthenticatedWebSession.authenticate? This would prevent session fixation even if exception got throw during the authentication itself for any reason. [1]: https://issues.apache.org/jira/browse/WICKET-1767 Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Why doesn't Wicket seem to call Session.replaceSession automatically?
Hi, wicket-auth-roles module was designed and advertised as an example rather than an extension for security best practices. But I agree with you that we could add that feature there. Please create a ticket at JIRA. Preferably with a patch or pull request at GitHub. Thank you! Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, Nov 24, 2014 at 10:55 AM, Thorsten Schöning tschoen...@am-soft.de wrote: Hi all, during implementing the login a my current project I came across WICKET-1767[1] which deals with session fixation problems, but to my surprise it looks like the newly created method is not called automatically by Wicket. If I search the code base for replaceSession( I only get one result, the method itself. Is there any reason why Wicket doesn't call the method automatically? Looks to me like AuthenticatedWebSession.signIn would be a good place to call it automatically. When should I call it instead, at the beginning of AuthenticatedWebSession.authenticate? This would prevent session fixation even if exception got throw during the authentication itself for any reason. [1]: https://issues.apache.org/jira/browse/WICKET-1767 Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Why doesn't Wicket seem to call Session.replaceSession automatically?
https://issues.apache.org/jira/browse/WICKET-5775 Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, Nov 24, 2014 at 11:36 AM, Martin Grigorov mgrigo...@apache.org wrote: Hi, wicket-auth-roles module was designed and advertised as an example rather than an extension for security best practices. But I agree with you that we could add that feature there. Please create a ticket at JIRA. Preferably with a patch or pull request at GitHub. Thank you! Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, Nov 24, 2014 at 10:55 AM, Thorsten Schöning tschoen...@am-soft.de wrote: Hi all, during implementing the login a my current project I came across WICKET-1767[1] which deals with session fixation problems, but to my surprise it looks like the newly created method is not called automatically by Wicket. If I search the code base for replaceSession( I only get one result, the method itself. Is there any reason why Wicket doesn't call the method automatically? Looks to me like AuthenticatedWebSession.signIn would be a good place to call it automatically. When should I call it instead, at the beginning of AuthenticatedWebSession.authenticate? This would prevent session fixation even if exception got throw during the authentication itself for any reason. [1]: https://issues.apache.org/jira/browse/WICKET-1767 Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org