You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Lois GreeneHernandez <lg...@knoa.com> on 2015/12/04 17:03:00 UTC
jsession id in url
Hi All,
I was tasked with modifying a wicket6/glassfish4 application so that the session id changes as soon as a user logs in. This is to avoid the problem of Session Fixation. I used the replaceSession() method (from the wicket Session class), which does a destroy(); and a bind();. replaceSession(). It seem to do the trick as the session id does indeed change. The problem is that now we see a jsessionid in the url everytime we initially log on. The id goes away after you log in and only appears on the initial launch.
My question is, is there a way to ensure that no jessionid appears in the url AND that the session id changes? Any advice would be greatly appreciated.
Thanks
Lois
RE: jsession id in url
Posted by Martin Grigorov <ma...@gmail.com>.
web.xml
On Dec 4, 2015 8:20 PM, "Lois GreeneHernandez" <lg...@knoa.com>
wrote:
> Thanks Martin for your response,
>
> I have a question, does this code go into web.xml or sun-web.xml or is
> there another xml that I need to create. I know that one can have a
> glassfish.*.xml but we don't have that in our set up.
>
> Please advise.
>
> Thanks in advance for all of your help.
>
> Lois
>
> -----Original Message-----
> From: Martin Grigorov [mailto:mgrigorov@apache.org]
> Sent: Friday, December 04, 2015 1:11 PM
> To: users@wicket.apache.org
> Subject: Re: jsession id in url
>
> Hi,
>
> See the Tomcat 7/8 hint at the bottom. GF4 should support that already.
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Fri, Dec 4, 2015 at 8:02 PM, Lois GreeneHernandez <
> lgreenehernandez@knoa.com> wrote:
>
> > Actually we're using glassfish 4 and it's a good question, but I don't
> > know if we configured it to not use jsessionid? I'll research that.
> >
> > Thanks for your input.
> >
> > Lois
> >
> > -----Original Message-----
> > From: Sven Meier [mailto:sven@meiers.net]
> > Sent: Friday, December 04, 2015 12:43 PM
> > To: users@wicket.apache.org
> > Subject: Re: jsession id in url
> >
> > Hi,
> >
> > did you configure Tomcat to not use jsessionid?
> >
> >
> > http://stackoverflow.com/questions/962729/is-it-possible-to-disable-js
> > essionid-in-tomcat-servlet
> >
> > Regards
> > Sven
> >
> > On 04.12.2015 17:03, Lois GreeneHernandez wrote:
> > > Hi All,
> > >
> > > I was tasked with modifying a wicket6/glassfish4 application so that
> > > the
> > session id changes as soon as a user logs in. This is to avoid the
> > problem of Session Fixation. I used the replaceSession() method (from
> > the wicket Session class), which does a destroy(); and a bind();.
> replaceSession().
> > It seem to do the trick as the session id does indeed change. The
> > problem is that now we see a jsessionid in the url everytime we
> initially log on.
> > The id goes away after you log in and only appears on the initial launch.
> > >
> > > My question is, is there a way to ensure that no jessionid appears
> > > in
> > the url AND that the session id changes? Any advice would be greatly
> > appreciated.
> > >
> > > Thanks
> > >
> > > Lois
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > For additional commands, e-mail: users-help@wicket.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > For additional commands, e-mail: users-help@wicket.apache.org
> >
> >
>
RE: jsession id in url
Posted by Lois GreeneHernandez <lg...@knoa.com>.
Thanks Martin for your response,
I have a question, does this code go into web.xml or sun-web.xml or is there another xml that I need to create. I know that one can have a glassfish.*.xml but we don't have that in our set up.
Please advise.
Thanks in advance for all of your help.
Lois
-----Original Message-----
From: Martin Grigorov [mailto:mgrigorov@apache.org]
Sent: Friday, December 04, 2015 1:11 PM
To: users@wicket.apache.org
Subject: Re: jsession id in url
Hi,
See the Tomcat 7/8 hint at the bottom. GF4 should support that already.
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Fri, Dec 4, 2015 at 8:02 PM, Lois GreeneHernandez < lgreenehernandez@knoa.com> wrote:
> Actually we're using glassfish 4 and it's a good question, but I don't
> know if we configured it to not use jsessionid? I'll research that.
>
> Thanks for your input.
>
> Lois
>
> -----Original Message-----
> From: Sven Meier [mailto:sven@meiers.net]
> Sent: Friday, December 04, 2015 12:43 PM
> To: users@wicket.apache.org
> Subject: Re: jsession id in url
>
> Hi,
>
> did you configure Tomcat to not use jsessionid?
>
>
> http://stackoverflow.com/questions/962729/is-it-possible-to-disable-js
> essionid-in-tomcat-servlet
>
> Regards
> Sven
>
> On 04.12.2015 17:03, Lois GreeneHernandez wrote:
> > Hi All,
> >
> > I was tasked with modifying a wicket6/glassfish4 application so that
> > the
> session id changes as soon as a user logs in. This is to avoid the
> problem of Session Fixation. I used the replaceSession() method (from
> the wicket Session class), which does a destroy(); and a bind();. replaceSession().
> It seem to do the trick as the session id does indeed change. The
> problem is that now we see a jsessionid in the url everytime we initially log on.
> The id goes away after you log in and only appears on the initial launch.
> >
> > My question is, is there a way to ensure that no jessionid appears
> > in
> the url AND that the session id changes? Any advice would be greatly
> appreciated.
> >
> > Thanks
> >
> > Lois
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: jsession id in url
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
See the Tomcat 7/8 hint at the bottom. GF4 should support that already.
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Fri, Dec 4, 2015 at 8:02 PM, Lois GreeneHernandez <
lgreenehernandez@knoa.com> wrote:
> Actually we're using glassfish 4 and it's a good question, but I don't
> know if we configured it to not use jsessionid? I'll research that.
>
> Thanks for your input.
>
> Lois
>
> -----Original Message-----
> From: Sven Meier [mailto:sven@meiers.net]
> Sent: Friday, December 04, 2015 12:43 PM
> To: users@wicket.apache.org
> Subject: Re: jsession id in url
>
> Hi,
>
> did you configure Tomcat to not use jsessionid?
>
>
> http://stackoverflow.com/questions/962729/is-it-possible-to-disable-jsessionid-in-tomcat-servlet
>
> Regards
> Sven
>
> On 04.12.2015 17:03, Lois GreeneHernandez wrote:
> > Hi All,
> >
> > I was tasked with modifying a wicket6/glassfish4 application so that the
> session id changes as soon as a user logs in. This is to avoid the problem
> of Session Fixation. I used the replaceSession() method (from the wicket
> Session class), which does a destroy(); and a bind();. replaceSession().
> It seem to do the trick as the session id does indeed change. The problem
> is that now we see a jsessionid in the url everytime we initially log on.
> The id goes away after you log in and only appears on the initial launch.
> >
> > My question is, is there a way to ensure that no jessionid appears in
> the url AND that the session id changes? Any advice would be greatly
> appreciated.
> >
> > Thanks
> >
> > Lois
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
RE: jsession id in url
Posted by Lois GreeneHernandez <lg...@knoa.com>.
Actually we're using glassfish 4 and it's a good question, but I don't know if we configured it to not use jsessionid? I'll research that.
Thanks for your input.
Lois
-----Original Message-----
From: Sven Meier [mailto:sven@meiers.net]
Sent: Friday, December 04, 2015 12:43 PM
To: users@wicket.apache.org
Subject: Re: jsession id in url
Hi,
did you configure Tomcat to not use jsessionid?
http://stackoverflow.com/questions/962729/is-it-possible-to-disable-jsessionid-in-tomcat-servlet
Regards
Sven
On 04.12.2015 17:03, Lois GreeneHernandez wrote:
> Hi All,
>
> I was tasked with modifying a wicket6/glassfish4 application so that the session id changes as soon as a user logs in. This is to avoid the problem of Session Fixation. I used the replaceSession() method (from the wicket Session class), which does a destroy(); and a bind();. replaceSession(). It seem to do the trick as the session id does indeed change. The problem is that now we see a jsessionid in the url everytime we initially log on. The id goes away after you log in and only appears on the initial launch.
>
> My question is, is there a way to ensure that no jessionid appears in the url AND that the session id changes? Any advice would be greatly appreciated.
>
> Thanks
>
> Lois
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: jsession id in url
Posted by Sven Meier <sv...@meiers.net>.
Hi,
did you configure Tomcat to not use jsessionid?
http://stackoverflow.com/questions/962729/is-it-possible-to-disable-jsessionid-in-tomcat-servlet
Regards
Sven
On 04.12.2015 17:03, Lois GreeneHernandez wrote:
> Hi All,
>
> I was tasked with modifying a wicket6/glassfish4 application so that the session id changes as soon as a user logs in. This is to avoid the problem of Session Fixation. I used the replaceSession() method (from the wicket Session class), which does a destroy(); and a bind();. replaceSession(). It seem to do the trick as the session id does indeed change. The problem is that now we see a jsessionid in the url everytime we initially log on. The id goes away after you log in and only appears on the initial launch.
>
> My question is, is there a way to ensure that no jessionid appears in the url AND that the session id changes? Any advice would be greatly appreciated.
>
> Thanks
>
> Lois
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org