sessions are not cleand up with the diskpagestore?
What is not cleaned up?
johan
--
View this message in context:
http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18869780.html
Sent from the Wicket - User mailing list archive at Nabble.com
In addition, it appears that the old sessions get invalidated at login time
are not cleaned up.
Any suggestions/starting points would be most welcome
Many thanks
Mike
--
View this message in context:
http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18868111.html
Sent
points would be most welcome
Many thanks
Mike
--
View this message in context:
http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18868111.html
Sent from the Wicket - User mailing list archive at Nabble.com
.
Old sessions are not cleand up with the diskpagestore?
What is not cleaned up?
johan
--
View this message in context:
http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18869780.html
Sent from the Wicket - User mailing list archive at Nabble.com
that it can get all the pages back that it
wants
so for that the new window detection is by default not enabled.
Old sessions are not cleand up with the diskpagestore?
What is not cleaned up?
johan
--
View this message in context:
http://www.nabble.com/How-to-protect-against-Session
]
For additional commands, e-mail: [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18831890.html
Sent from the Wicket - User mailing list archive at Nabble.com
.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18831890.html
Sent from
]
For additional commands, e-mail: [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18831890.html
Sent from the Wicket - User mailing list archive at Nabble.com
]
--
View this message in context:
http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18831890.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail
We've invested some more research on this topic because session.invalidate
didn't work and came up with a solution. We've created a JIRA-Ticket
regarding this topic to document our solution.
https://issues.apache.org/jira/browse/WICKET-1767
Regards
Enes F.
On Wed, Jul 30, 2008 at 5:59 PM, Igor
Hi wicket users,
we are currently in the process of securing our Wicket-powered
application against various attack vectors. One of them is Session
Fixation, as described here:
http://www.owasp.org/index.php/Session_Fixation
The recommended protection in Java is to invalidate the Session before
doing that should be fine, just make sure that after login you
redirect to a bookmarkable url which will then create a new session.
so
session.invalidate();
loginuser();
setrequesttarget(new bookmarkablepagetarget(...));
getrequest().setredirect(true);
-igor
On Wed, Jul 30, 2008 at 7:15 AM,
12 matches
Mail list logo