Hi all, during implementing the login a my current project I came across WICKET-1767[1] which deals with session fixation problems, but to my surprise it looks like the newly created method is not called automatically by Wicket. If I search the code base for "replaceSession(" I only get one result, the method itself.
Is there any reason why Wicket doesn't call the method automatically? Looks to me like AuthenticatedWebSession.signIn would be a good place to call it automatically. When should I call it instead, at the beginning of AuthenticatedWebSession.authenticate? This would prevent session fixation even if exception got throw during the authentication itself for any reason. [1]: https://issues.apache.org/jira/browse/WICKET-1767 Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...........05151- 9468- 55 Fax...............05151- 9468- 88 Mobil..............0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org