jsession id in url

[Lois GreeneHernandez <lg...@knoa.com>]

Hi All,

I was tasked with modifying a wicket6/glassfish4 application so that the session id changes as soon as a user logs in.  This is to avoid the problem of Session Fixation.  I used the replaceSession() method (from the wicket Session class), which does a destroy(); and a bind();.  replaceSession().  It seem to do the trick as the session id does indeed change.  The problem is that now we see a jsessionid in the url everytime we initially log on.  The id goes away after you log in and only appears on the initial launch.

My question is, is there a way to ensure that no jessionid appears in the url AND that the session id changes?  Any advice would be greatly appreciated.

Thanks

Lois

RE: jsession id in url

[Martin Grigorov <ma...@gmail.com>]

web.xml
On Dec 4, 2015 8:20 PM, "Lois GreeneHernandez" <lg...@knoa.com>
wrote:

> Thanks Martin for your response,
>
> I have a question, does this code go into web.xml or sun-web.xml or is
> there another xml that I need to create.  I know that one can have a
> glassfish.*.xml but we don't have that in our set up.
>
> Please advise.
>
> Thanks in advance for all of your help.
>
> Lois
>
> -----Original Message-----
> From: Martin Grigorov [mailto:mgrigorov@apache.org]
> Sent: Friday, December 04, 2015 1:11 PM
> To: users@wicket.apache.org
> Subject: Re: jsession id in url
>
> Hi,
>
> See the Tomcat 7/8 hint at the bottom. GF4 should support that already.
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Fri, Dec 4, 2015 at 8:02 PM, Lois GreeneHernandez <
> lgreenehernandez@knoa.com> wrote:
>
> > Actually we're using glassfish 4 and it's a good question, but I don't
> > know if we configured it to not use jsessionid?  I'll research that.
> >
> > Thanks for your input.
> >
> > Lois
> >
> > -----Original Message-----
> > From: Sven Meier [mailto:sven@meiers.net]
> > Sent: Friday, December 04, 2015 12:43 PM
> > To: users@wicket.apache.org
> > Subject: Re: jsession id in url
> >
> > Hi,
> >
> > did you configure Tomcat to not use jsessionid?
> >
> >
> > http://stackoverflow.com/questions/962729/is-it-possible-to-disable-js
> > essionid-in-tomcat-servlet
> >
> > Regards
> > Sven
> >
> > On 04.12.2015 17:03, Lois GreeneHernandez wrote:
> > > Hi All,
> > >
> > > I was tasked with modifying a wicket6/glassfish4 application so that
> > > the
> > session id changes as soon as a user logs in.  This is to avoid the
> > problem of Session Fixation.  I used the replaceSession() method (from
> > the wicket Session class), which does a destroy(); and a bind();.
> replaceSession().
> > It seem to do the trick as the session id does indeed change.  The
> > problem is that now we see a jsessionid in the url everytime we
> initially log on.
> > The id goes away after you log in and only appears on the initial launch.
> > >
> > > My question is, is there a way to ensure that no jessionid appears
> > > in
> > the url AND that the session id changes?  Any advice would be greatly
> > appreciated.
> > >
> > > Thanks
> > >
> > > Lois
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > For additional commands, e-mail: users-help@wicket.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > For additional commands, e-mail: users-help@wicket.apache.org
> >
> >
>

RE: jsession id in url

[Lois GreeneHernandez <lg...@knoa.com>]

Thanks Martin for your response, 

I have a question, does this code go into web.xml or sun-web.xml or is there another xml that I need to create.  I know that one can have a glassfish.*.xml but we don't have that in our set up.  

Please advise. 

Thanks in advance for all of your help. 

Lois

-----Original Message-----
From: Martin Grigorov [mailto:mgrigorov@apache.org] 
Sent: Friday, December 04, 2015 1:11 PM
To: users@wicket.apache.org
Subject: Re: jsession id in url

Hi,

See the Tomcat 7/8 hint at the bottom. GF4 should support that already.

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Fri, Dec 4, 2015 at 8:02 PM, Lois GreeneHernandez < lgreenehernandez@knoa.com> wrote:

> Actually we're using glassfish 4 and it's a good question, but I don't 
> know if we configured it to not use jsessionid?  I'll research that.
>
> Thanks for your input.
>
> Lois
>
> -----Original Message-----
> From: Sven Meier [mailto:sven@meiers.net]
> Sent: Friday, December 04, 2015 12:43 PM
> To: users@wicket.apache.org
> Subject: Re: jsession id in url
>
> Hi,
>
> did you configure Tomcat to not use jsessionid?
>
>
> http://stackoverflow.com/questions/962729/is-it-possible-to-disable-js
> essionid-in-tomcat-servlet
>
> Regards
> Sven
>
> On 04.12.2015 17:03, Lois GreeneHernandez wrote:
> > Hi All,
> >
> > I was tasked with modifying a wicket6/glassfish4 application so that 
> > the
> session id changes as soon as a user logs in.  This is to avoid the 
> problem of Session Fixation.  I used the replaceSession() method (from 
> the wicket Session class), which does a destroy(); and a bind();.  replaceSession().
> It seem to do the trick as the session id does indeed change.  The 
> problem is that now we see a jsessionid in the url everytime we initially log on.
> The id goes away after you log in and only appears on the initial launch.
> >
> > My question is, is there a way to ensure that no jessionid appears 
> > in
> the url AND that the session id changes?  Any advice would be greatly 
> appreciated.
> >
> > Thanks
> >
> > Lois
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>

Re: jsession id in url

[Martin Grigorov <mg...@apache.org>]

Hi,

See the Tomcat 7/8 hint at the bottom. GF4 should support that already.

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Fri, Dec 4, 2015 at 8:02 PM, Lois GreeneHernandez <
lgreenehernandez@knoa.com> wrote:

> Actually we're using glassfish 4 and it's a good question, but I don't
> know if we configured it to not use jsessionid?  I'll research that.
>
> Thanks for your input.
>
> Lois
>
> -----Original Message-----
> From: Sven Meier [mailto:sven@meiers.net]
> Sent: Friday, December 04, 2015 12:43 PM
> To: users@wicket.apache.org
> Subject: Re: jsession id in url
>
> Hi,
>
> did you configure Tomcat to not use jsessionid?
>
>
> http://stackoverflow.com/questions/962729/is-it-possible-to-disable-jsessionid-in-tomcat-servlet
>
> Regards
> Sven
>
> On 04.12.2015 17:03, Lois GreeneHernandez wrote:
> > Hi All,
> >
> > I was tasked with modifying a wicket6/glassfish4 application so that the
> session id changes as soon as a user logs in.  This is to avoid the problem
> of Session Fixation.  I used the replaceSession() method (from the wicket
> Session class), which does a destroy(); and a bind();.  replaceSession().
> It seem to do the trick as the session id does indeed change.  The problem
> is that now we see a jsessionid in the url everytime we initially log on.
> The id goes away after you log in and only appears on the initial launch.
> >
> > My question is, is there a way to ensure that no jessionid appears in
> the url AND that the session id changes?  Any advice would be greatly
> appreciated.
> >
> > Thanks
> >
> > Lois
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>

RE: jsession id in url

[Lois GreeneHernandez <lg...@knoa.com>]

Actually we're using glassfish 4 and it's a good question, but I don't know if we configured it to not use jsessionid?  I'll research that. 

Thanks for your input. 

Lois

-----Original Message-----
From: Sven Meier [mailto:sven@meiers.net] 
Sent: Friday, December 04, 2015 12:43 PM
To: users@wicket.apache.org
Subject: Re: jsession id in url

Hi,

did you configure Tomcat to not use jsessionid?

http://stackoverflow.com/questions/962729/is-it-possible-to-disable-jsessionid-in-tomcat-servlet

Regards
Sven

On 04.12.2015 17:03, Lois GreeneHernandez wrote:
> Hi All,
>
> I was tasked with modifying a wicket6/glassfish4 application so that the session id changes as soon as a user logs in.  This is to avoid the problem of Session Fixation.  I used the replaceSession() method (from the wicket Session class), which does a destroy(); and a bind();.  replaceSession().  It seem to do the trick as the session id does indeed change.  The problem is that now we see a jsessionid in the url everytime we initially log on.  The id goes away after you log in and only appears on the initial launch.
>
> My question is, is there a way to ensure that no jessionid appears in the url AND that the session id changes?  Any advice would be greatly appreciated.
>
> Thanks
>
> Lois
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: jsession id in url

[Sven Meier <sv...@meiers.net>]

Hi,

did you configure Tomcat to not use jsessionid?

http://stackoverflow.com/questions/962729/is-it-possible-to-disable-jsessionid-in-tomcat-servlet

Regards
Sven

On 04.12.2015 17:03, Lois GreeneHernandez wrote:
> Hi All,
>
> I was tasked with modifying a wicket6/glassfish4 application so that the session id changes as soon as a user logs in.  This is to avoid the problem of Session Fixation.  I used the replaceSession() method (from the wicket Session class), which does a destroy(); and a bind();.  replaceSession().  It seem to do the trick as the session id does indeed change.  The problem is that now we see a jsessionid in the url everytime we initially log on.  The id goes away after you log in and only appears on the initial launch.
>
> My question is, is there a way to ensure that no jessionid appears in the url AND that the session id changes?  Any advice would be greatly appreciated.
>
> Thanks
>
> Lois
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org