Re: Login page stateless??

Tue, 24 Apr 2012 13:48:26 -0700 

>The problem is that the application will be in internet, and is VERY
easy to attack if we create a session in the login page

Are you worried about a session fixation attack? I just call
Session#replaceSession():

http://wicket.apache.org/apidocs/1.5/org/apache/wicket/Session.html#replaceSession()

-Dan

On Tue, Apr 24, 2012 at 2:40 PM, Bas Gooren <b...@iswd.nl> wrote:

> It simply means there is another component on your login page which makes
> the page stateful.
>
> To find out which one, override onBeforeRender() in the login page (log is
> a slf4j Logger):
>
> @Override
>    protected void onBeforeRender()
>    {
>        super.onBeforeRender();
>
>        log.debug( "Stateless? {}", getSession().isTemporary() );
>
>        if( !getSession().isTemporary() && log.isTraceEnabled() )
>        {
>            // Print which component is stateful
>            visitChildren( Component.class, new IVisitor<Component>()
>            {
>                @Override
>                public Object component( Component component )
>                {
>                    if( !component.isStateless() )
>                    {
>                        log.trace( "+ Stateful: {}", component );
>                    }
>
>                    return CONTINUE_TRAVERSAL;
>                }
>            } );
>        }
>    }
> Op 24-4-2012 20:50, schreef Alfonso Quiroga:
>
>  Hi, in my job we have an application, and the LoginPage is like any
>> other page. The testing team reported that when you see the login
>> page, a new Session is being created by wicket (they see it in
>> jProfiler). I've used a StatelessForm, but the session is still being
>> created.
>>
>> The problem is that the application will be in internet, and is VERY
>> easy to attack if we create a session in the login page. The only
>> workaround I am thining... is creating a plain html file (login), and
>> then redirect to a wicket page. Any other solution? thanks!!
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: 
>> users-unsubscribe@wicket.**apache.org<users-unsubscr...@wicket.apache.org>
>> For additional commands, e-mail: users-h...@wicket.apache.org
>>
>>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: 
> users-unsubscribe@wicket.**apache.org<users-unsubscr...@wicket.apache.org>
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

Reply via email to