web.xml On Dec 4, 2015 8:20 PM, "Lois GreeneHernandez" <lgreenehernan...@knoa.com> wrote:
> Thanks Martin for your response, > > I have a question, does this code go into web.xml or sun-web.xml or is > there another xml that I need to create. I know that one can have a > glassfish.*.xml but we don't have that in our set up. > > Please advise. > > Thanks in advance for all of your help. > > Lois > > -----Original Message----- > From: Martin Grigorov [mailto:mgrigo...@apache.org] > Sent: Friday, December 04, 2015 1:11 PM > To: users@wicket.apache.org > Subject: Re: jsession id in url > > Hi, > > See the Tomcat 7/8 hint at the bottom. GF4 should support that already. > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Fri, Dec 4, 2015 at 8:02 PM, Lois GreeneHernandez < > lgreenehernan...@knoa.com> wrote: > > > Actually we're using glassfish 4 and it's a good question, but I don't > > know if we configured it to not use jsessionid? I'll research that. > > > > Thanks for your input. > > > > Lois > > > > -----Original Message----- > > From: Sven Meier [mailto:s...@meiers.net] > > Sent: Friday, December 04, 2015 12:43 PM > > To: users@wicket.apache.org > > Subject: Re: jsession id in url > > > > Hi, > > > > did you configure Tomcat to not use jsessionid? > > > > > > http://stackoverflow.com/questions/962729/is-it-possible-to-disable-js > > essionid-in-tomcat-servlet > > > > Regards > > Sven > > > > On 04.12.2015 17:03, Lois GreeneHernandez wrote: > > > Hi All, > > > > > > I was tasked with modifying a wicket6/glassfish4 application so that > > > the > > session id changes as soon as a user logs in. This is to avoid the > > problem of Session Fixation. I used the replaceSession() method (from > > the wicket Session class), which does a destroy(); and a bind();. > replaceSession(). > > It seem to do the trick as the session id does indeed change. The > > problem is that now we see a jsessionid in the url everytime we > initially log on. > > The id goes away after you log in and only appears on the initial launch. > > > > > > My question is, is there a way to ensure that no jessionid appears > > > in > > the url AND that the session id changes? Any advice would be greatly > > appreciated. > > > > > > Thanks > > > > > > Lois > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > >