Many thanks for the quick response. The pre-login session files in the temp filestore directory are not removed, even after the session timeout. All the new sessions are removed as they expire, but the ones that are invalidated using the patch below remain indefinitely.
no what you see is that by default the http session store has a new window browser detection (new pagemap) It needs that because of the way pages are stored and rollbacked. The DiskPageStore doesnt need that it can get all the pages back that it wants so for that the new window detection is by default not enabled. Old sessions are not cleand up with the diskpagestore? What is not cleaned up? johan -- View this message in context: http://www.nabble.com/How-to-protect-against-Session-Fixation-attacks--tp18734278p18869780.html Sent from the Wicket - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]