https://issues.apache.org/jira/browse/WICKET-1767
On Tue, Aug 5, 2008 at 4:18 PM, Igor Vaynberg <[EMAIL PROTECTED]>wrote: > which jira issue? > > -igor > > On Tue, Aug 5, 2008 at 7:07 AM, RUMikeP <[EMAIL PROTECTED]> wrote: > > > > Hi > > > > I would like to second this request, as I am currently evaluating > Rational > > AppScan against a small Wicket Reference Application. Session Fixation > has > > been identified as one of the potential weaknesses, in my application. > > > > I have just read the discussion on the Jira logs, but hope by adding my > > request here, that this could somehow become part of the core in order to > > avoid each developer having to implement it in each of their > applications. > > > > Many thanks > > Mike > > > > > > > > Enes Fazli wrote: > >> > >> We've invested some more research on this topic because > session.invalidate > >> didn't work and came up with a solution. We've created a JIRA-Ticket > >> regarding this topic to document our solution. > >> > >> https://issues.apache.org/jira/browse/WICKET-1767 > >> > >> Regards > >> Enes F. > >> > >> On Wed, Jul 30, 2008 at 5:59 PM, Igor Vaynberg > >> <[EMAIL PROTECTED]>wrote: > >> > >>> doing that should be fine, just make sure that after login you > >>> redirect to a bookmarkable url which will then create a new session. > >>> > >>> so > >>> session.invalidate(); > >>> loginuser(); > >>> setrequesttarget(new bookmarkablepagetarget(...)); > >>> getrequest().setredirect(true); > >>> > >>> -igor > >>> > >>> On Wed, Jul 30, 2008 at 7:15 AM, Enes Fazli <[EMAIL PROTECTED] > > > >>> wrote: > >>> > Hi wicket users, > >>> > > >>> > we are currently in the process of securing our Wicket-powered > >>> > application against various attack vectors. One of them is Session > >>> > Fixation, as described here: > >>> > http://www.owasp.org/index.php/Session_Fixation > >>> > > >>> > The recommended protection in Java is to invalidate the Session > before > >>> > authenticating the user, with something like this: > >>> > > >>> > HttpSession s = request.getSession(false); > >>> > if (s != null) s.invalidate(); > >>> > s = request.getSession(true); > >>> > > >>> > Invalidating the session can be done with Session.get().invalidate() > >>> > or invalidateNow(), but that leaves, as far as I can tell, Wicket's > >>> > Session in a broken state, preventing the login alltogether. > >>> > > >>> > Instead of continuing to tamper with Wicket internals, is there a > >>> > solution available? > >>> > > >>> > Regards, > >>> > > >>> > Enes F. > >>> > > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >> > >> > > > > -- > > View this message in context: > http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18831890.html > > Sent from the Wicket - User mailing list archive at Nabble.com. > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
