>The problem is that the application will be in internet, and is VERY easy to attack if we create a session in the login page
Are you worried about a session fixation attack? I just call Session#replaceSession(): http://wicket.apache.org/apidocs/1.5/org/apache/wicket/Session.html#replaceSession() -Dan On Tue, Apr 24, 2012 at 2:40 PM, Bas Gooren <b...@iswd.nl> wrote: > It simply means there is another component on your login page which makes > the page stateful. > > To find out which one, override onBeforeRender() in the login page (log is > a slf4j Logger): > > @Override > protected void onBeforeRender() > { > super.onBeforeRender(); > > log.debug( "Stateless? {}", getSession().isTemporary() ); > > if( !getSession().isTemporary() && log.isTraceEnabled() ) > { > // Print which component is stateful > visitChildren( Component.class, new IVisitor<Component>() > { > @Override > public Object component( Component component ) > { > if( !component.isStateless() ) > { > log.trace( "+ Stateful: {}", component ); > } > > return CONTINUE_TRAVERSAL; > } > } ); > } > } > Op 24-4-2012 20:50, schreef Alfonso Quiroga: > > Hi, in my job we have an application, and the LoginPage is like any >> other page. The testing team reported that when you see the login >> page, a new Session is being created by wicket (they see it in >> jProfiler). I've used a StatelessForm, but the session is still being >> created. >> >> The problem is that the application will be in internet, and is VERY >> easy to attack if we create a session in the login page. The only >> workaround I am thining... is creating a plain html file (login), and >> then redirect to a wicket page. Any other solution? thanks!! >> >> ------------------------------**------------------------------**--------- >> To unsubscribe, e-mail: >> users-unsubscribe@wicket.**apache.org<users-unsubscr...@wicket.apache.org> >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: > users-unsubscribe@wicket.**apache.org<users-unsubscr...@wicket.apache.org> > For additional commands, e-mail: users-h...@wicket.apache.org > >