You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Holger Jaekel (JIRA)" <ji...@apache.org> on 2011/02/22 22:26:38 UTC
[jira] Created: (WICKET-3469) Referrer Leaking with ExternalLink
Referrer Leaking with ExternalLink
----------------------------------
Key: WICKET-3469
URL: https://issues.apache.org/jira/browse/WICKET-3469
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 1.4.15
Reporter: Holger Jaekel
When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
ExternalLink renders links like <a href="http://www.google.de/">Google</a>
When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Reopened: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Martin Grigorov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Grigorov reopened WICKET-3469:
-------------------------------------
Assignee: Martin Grigorov
Reopening to add javadoc at least.
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Assignee: Martin Grigorov
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998062#comment-12998062 ]
Igor Vaynberg commented on WICKET-3469:
---------------------------------------
nevermind, i see. i think martijn is correct, if you do not want to show the referer - which will contain jsessiond, use a normal link and redirect to the external url.
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Reopened: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Martin Grigorov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Grigorov reopened WICKET-3469:
-------------------------------------
Reopen to update the javadoc
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Assignee: Martin Grigorov
> Fix For: 1.4.17, 1.5-RC3
>
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Pedro Santos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pedro Santos updated WICKET-3469:
---------------------------------
Attachment: WICKET-3469.zip
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Resolved: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Pedro Santos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pedro Santos resolved WICKET-3469.
----------------------------------
Resolution: Not A Problem
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998061#comment-12998061 ]
Igor Vaynberg commented on WICKET-3469:
---------------------------------------
i dont see how this can happen at all. the url given to the link is not rewritten anywhere using HttpServletResponse#encodeURL, it is rendered raw. so what appends the jsessionid to it? at least in the quickstart pedro attached this is not reproduced...
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Resolved: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Martin Grigorov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Grigorov resolved WICKET-3469.
-------------------------------------
Resolution: Fixed
The javadoc is updated with Igor's comment.
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Assignee: Martin Grigorov
> Fix For: 1.4.17, 1.5-RC3
>
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Reopened: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Pedro Santos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pedro Santos reopened WICKET-3469:
----------------------------------
I know that it is not up to the framework to strip that encoded session id, but would be nice if it is possible, reopening just to attach the quickstart I used to understand the issue
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998432#comment-12998432 ]
Igor Vaynberg commented on WICKET-3469:
---------------------------------------
fwiw this is not going to work either:
<p>
+ * <strong>Note</strong>: in the case when the support for cookies in the browser is disabled the
+ * user's jsessionid will leak in the 'Referrer' header after clicking this link. If this is a
+ * problem for the application then better use {@link Link} which redirects to the new URL using
+ * {@link RedirectToUrlException}.
the referer will then have the ;jsessionid=ABCD/?wicket:interface=.... url
in order to truly fix this one would have to redirect to a shared stateless resource that performs the redirect to the link url
so a link has to redirect to /wicket/resource/my-redirect-resource?url=my-final-destination
letting the resource there perform the final redirect and making sure that the above url does not have jsessionid in it by either building the url to it manually or not passing it through response.encodeurl() method.
this is not trivial, but its also not unique to wicket. all java applications have to do this dance if they dont want jsessionid in their urls.
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Assignee: Martin Grigorov
> Fix For: 1.4.17, 1.5-RC3
>
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Martijn Dashorst (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martijn Dashorst closed WICKET-3469.
------------------------------------
Resolution: Not A Problem
If you need a redirect, use a normal Link component instead. ExternalLink does exactly what it is designed to do: render a <a href=""> for a normal URL.
You could add a attributemodifier to add a noreferrer tag to the link. See http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#link-type-noreferrer
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Martin Grigorov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998223#comment-12998223 ]
Martin Grigorov commented on WICKET-3469:
-----------------------------------------
I tend to agree with Holger.
With the current impl of ExternalLink Wicket provides a component which is vulnerable (session hijacking thru referer) in certain circumstances (disabled cookies).
A real fix would be to reimplement ExternalLink to normal Link which redirects in its onClick(). If this is not acceptable then we can at least mention this possible problem in the javadoc and add 'rel="noreferrer"' attribute so at least new browsers can help preventing this security hole.
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Holger Jaekel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998071#comment-12998071 ]
Holger Jaekel commented on WICKET-3469:
---------------------------------------
If you see ExternalLink just as a class for rendering a simple anchor link, you are correct. ExternalLink does exactly what it is supposed to do.
I was thinking of ExternalLink as the recommended way of including links to external URLs into an application. The compnent reference says: "External links take you outside the scope of Wicket. They can come in handy when you keep your links e.g. in a database." But the usage of ExternalLink for external links cannot be recommendet because it is possible that the jsessionid is leaked to the external site. So maybe wicket should offer a secure way of including external links into an application. Using normal Links and creating the redirects in the application code is just a workaround. Using noreferrer is HTML5, which is still a draft.
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Resolved: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Martin Grigorov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Grigorov resolved WICKET-3469.
-------------------------------------
Resolution: Fixed
Fix Version/s: 1.5-RC3
1.4.17
Javadoc explaining the possible problem and solution is added with r1073642 (1.4.x) and r1073641 (trunk).
rel="noreferrer" attribute is not added by default. It can be provided by the user application at any time.
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Assignee: Martin Grigorov
> Fix For: 1.4.17, 1.5-RC3
>
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Martijn Dashorst (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998239#comment-12998239 ]
Martijn Dashorst commented on WICKET-3469:
------------------------------------------
-1 to serverside events with this component. That would break so many applications that would not be funny.
External link is nothing more than providing your markup with URLs from Java code. Similar to just having a <a href="http://google.com"> in your markup. We are not going to fix those as well, nor webmarkupcontainers that have an attribute modifier to provide a href attribute, nor webmarkupcontainers that override onComponentTag and put a href attribute.
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Assignee: Martin Grigorov
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (WICKET-3469) Referrer Leaking with ExternalLink
Posted by "Jeremy Thomerson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998064#comment-12998064 ]
Jeremy Thomerson commented on WICKET-3469:
------------------------------------------
jsessionid is appended by the container - we can't control it
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/">Google</a>
> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira