The case for ugly url's

[Martijn Dashorst <ma...@gmail.com>]

I just found this article mentioned in a post while browsing other mailing
lists referencing Wicket...

http://www2.csoonline.com/exclusives/column.html?CID=33395

It provides the case for wicket's relative to session urls:

A more sophisticated defense involves making sure the bad guys won't have
> the exact command to execute an action on the target website. "Essentially
> what the developer is trying to do is make sure the request is
> unpredictable," Grossman says. "The same request I use to do a wire transfer
> will not be identical to one you make." Typically this would involve
> generating cryptographic tokens for each user.
>

Martijn

-- 
Buy Wicket in Action: http://manning.com/dashorst
Apache Wicket 1.3.0 is released
Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3.0