And that introduced a bug or unwanted behavior also, will try to fix that in the wicket code this weekend...
If you use encrypted urls and then your session expires you get nasty decoding errors in your logs because it suddenly uses another key/seed.... Because of a new session. Some how we now have to check for this better in that strategy and throw on that level already a page expired or something On 9/19/08, Jörn Zaefferer <[EMAIL PROTECTED]> wrote: > Though afaik the URL encryption will be even better with 1.3.5, where > the encryption key is session-based, that is, per user, instead of one > default key for everything (current 1.3.4 behaviour). > > Once that is released, you get unique-per-user URLs which provide > perfect protection against CSRF without ever getting into the way of > the application developer. Haven't seen that anywhere else! > > Jörn > > On Thu, Sep 18, 2008 at 7:15 PM, Jonathan Locke > <[EMAIL PROTECTED]> wrote: >> >> >> to be totally explicit, the third sentence should probably say "explicit >> steps must be taken *by the programmer*" ;-) >> >> the last sentence is outdated as wicket provides URL encryption if you >> want >> it >> >> >> Johan Compagner wrote: >>> >>> Why is that sentence ambiguous? >>> >>> On 9/18/08, cj91 <[EMAIL PROTECTED]> wrote: >>>> >>>> My company is planning an extremely large web project and Wicket is a >>>> candidate for use. My manager pointed out some unsettling words on the >>>> Wicket FAQ, which are ambiguous unfortunately. >>>> http://wicket.apache.org/features.html >>>> >>>>>>>Wicket is secure by default. URLs do not expose sensitive information >> and >>>> all component paths are >>>>>>>session-relative. Explicit steps must be taken to share information >>>> between sessions. There are plans >>>>>>>for the next version of Wicket to add URL encryption to support highly >>>> secure web sites. >>>> >>>> >>>> Can someone please elaborate on what is meant by "Explicit steps must be >>>> taken to share information between sessions." >>>> >>>> Thank you, >>>> -Jonathan >>>> -- >>>> View this message in context: >>>> http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html >>>> Sent from the Wicket - User mailing list archive at Nabble.com. >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>> >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >>> >> >> -- >> View this message in context: >> http://www.nabble.com/Wicket-not-secure--tp19556259p19557667.html >> Sent from the Wicket - User mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
