Hi all,
during implementing the login a my current project I came across
WICKET-1767[1] which deals with session fixation problems, but to my
surprise it looks like the newly created method is not called
automatically by Wicket. If I search the code base for
"replaceSession(" I only get one result, the method itself.
Is there any reason why Wicket doesn't call the method automatically?
Looks to me like AuthenticatedWebSession.signIn would be a good place
to call it automatically. When should I call it instead, at the
beginning of AuthenticatedWebSession.authenticate? This would prevent
session fixation even if exception got throw during the authentication
itself for any reason.
[1]: https://issues.apache.org/jira/browse/WICKET-1767
Mit freundlichen Grüßen,
Thorsten Schöning
--
Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de
AM-SoFT IT-Systeme http://www.AM-SoFT.de/
Telefon...........05151- 9468- 55
Fax...............05151- 9468- 88
Mobil..............0178-8 9468- 04
AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
