no what you see is that by default the http session store has a new window browser detection (new pagemap) It needs that because of the way pages are stored and rollbacked.
The DiskPageStore doesnt need that it can get all the pages back that it wants so for that the new window detection is by default not enabled. Old sessions are not cleand up with the diskpagestore? What is not cleaned up? johan On Thu, Aug 7, 2008 at 1:05 PM, RUMikeP <[EMAIL PROTECTED]> wrote: > > Hi > > Still busy looking into it, but using the suggested fix posted by Enes > Fazli > I notice two strange behaviours: > > If I use the default FileSessionStore, the URLs are as per normal, e.g. > wicket:2 but if I change to HttpSessionStore then I get an additional "-0" > appended, e.g. wicket-0:2 > > In addition, it appears that the old sessions get invalidated at login time > are not cleaned up. > > Any suggestions/starting points would be most welcome > > Many thanks > Mike > > > -- > View this message in context: > http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18868111.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
