Hi, 1. you can remove the sessionid from the url and have it stored in a cookie without any change to your app code. This is more of web container setup, it's not really Wicket who should be handling that. With Servlet 3.0 you can tell your web container how it should handle it in the web.xml file of your app like
http://www.e-zest.net/blog/new-session-management-features-in-servlet-3-0/ notice the <tracking-mode>COOKIE</tracking-mode> option Look into having it as "HttpOnly" also, it means the cookie value cannot be read from JS so you'd want that turned also on to minimize the damage in case of a XSS vulnerability in your site. 2. Actually Wicket already comes with session fixation protection if you look in the Session class the method Session.replaceSession() has it explained in the Javadoc So say you have a LoginForm with a public void submit() { User user = userDao.getUser(username, password); if(user != null) { //pardon the stupidest authorization Session.get().replaceSession(); //we're destroying the old session and recreating a new one - a new sessionid is returned to the user AppSession newSession = (AppSession) Session.get(); newSession.setUser(user); } else { error("Wrong username/pass"); } } -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Removing-jessionid-tp4671649p4671650.html Sent from the Users forum mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org