Hi Claudia, I have never seen this in our applications - we always use a form POST to submit user login details. The only reason I can think of that would lead to your case is when you set the form to submit using a GET request. That would put the fields in the URL and thus in wicket’s page parameters, which are reused when recreateBookmarkablePagesAfterExpiry is true and the page expired.
Did you by any chance specify a method=“GET” attribute on your form? Met vriendelijke groet, Kind regards, Bas Gooren Op 20 juli 2021 bij 21:46:07, Claudia Hirt ([email protected]) schreef: > Hi all, > > we currenlty facing some issues with the recreateBookmarkablePagesAfterExpiry option. > We set this option to true, the user visits the login page and enters username and password ("<input type='password'></input>"). Now the user waits for the login till the session expires. Wicket forces a page recreate and append the password into the url (e.G. http://localhost:8080/app?user:unit:textfield=user&password:password="password";). > This seems to be an security issue on our side. Unfortunately we can't disable the recreateBookmarkablePagesAfterExpiry option due some resource loading issues. > > We already thougth about what we can do to solve this issue, and it seems to be possible to remove this parameter form the page parameters (which are called for the rewrite url after an page expires). > But before we implement this workaround we want to ask you guys if you already have seen this issue and if yes, if you have any better solutions? > > Thanks for your help...
