I have web-site with login form in header, so the form does appear on all pages. Normally it does work insecure, so the page could be viewed insecure, but the form on it must be secure, otherwise it will send username/password over insecure http. I found in wicket wiki a solution for a page it checks page for RequiredSSL annotation and redirects if not ssl. But in my case the https should be before, in url, but not after data is sent already. I mean <form action> for login form must be "https://...". How to do it?
Also, as I understand, sessionid for insecure connection should be transferred to secure and after it the sessionid should be generated again, otherwise hacker can use this sessionid stolen from insecure connection to intrude into session data which is expected to be secure. Am I right? Is there easy way to do it in wicket? -- WBR, kan. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]