that is trivial to implement with 1.3.4 also -igor
On Fri, Sep 19, 2008 at 12:51 AM, Jörn Zaefferer <[EMAIL PROTECTED]> wrote: > Though afaik the URL encryption will be even better with 1.3.5, where > the encryption key is session-based, that is, per user, instead of one > default key for everything (current 1.3.4 behaviour). > > Once that is released, you get unique-per-user URLs which provide > perfect protection against CSRF without ever getting into the way of > the application developer. Haven't seen that anywhere else! > > Jörn > > On Thu, Sep 18, 2008 at 7:15 PM, Jonathan Locke > <[EMAIL PROTECTED]> wrote: >> >> >> to be totally explicit, the third sentence should probably say "explicit >> steps must be taken *by the programmer*" ;-) >> >> the last sentence is outdated as wicket provides URL encryption if you want >> it >> >> >> Johan Compagner wrote: >>> >>> Why is that sentence ambiguous? >>> >>> On 9/18/08, cj91 <[EMAIL PROTECTED]> wrote: >>>> >>>> My company is planning an extremely large web project and Wicket is a >>>> candidate for use. My manager pointed out some unsettling words on the >>>> Wicket FAQ, which are ambiguous unfortunately. >>>> http://wicket.apache.org/features.html >>>> >>>>>>>Wicket is secure by default. URLs do not expose sensitive information >> and >>>> all component paths are >>>>>>>session-relative. Explicit steps must be taken to share information >>>> between sessions. There are plans >>>>>>>for the next version of Wicket to add URL encryption to support highly >>>> secure web sites. >>>> >>>> >>>> Can someone please elaborate on what is meant by "Explicit steps must be >>>> taken to share information between sessions." >>>> >>>> Thank you, >>>> -Jonathan >>>> -- >>>> View this message in context: >>>> http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html >>>> Sent from the Wicket - User mailing list archive at Nabble.com. >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>> >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >>> >> >> -- >> View this message in context: >> http://www.nabble.com/Wicket-not-secure--tp19556259p19557667.html >> Sent from the Wicket - User mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
