HTTPS, again

[kan <ka...@gmail.com>]

I have web-site with login form in header, so the form does appear on
all pages. Normally it does work insecure, so the page could be viewed
insecure, but the form on it must be secure, otherwise it will send
username/password over insecure http.  I found in wicket wiki a
solution for a page it checks page for RequiredSSL annotation and
redirects if not ssl. But in my case the https should be before, in
url, but not after data is sent already. I mean <form action> for
login form must be "https://...". How to do it?

Also, as I understand, sessionid for insecure connection should be
transferred to secure and after it the sessionid should be generated
again, otherwise hacker can use this sessionid stolen from insecure
connection to intrude into session data which is expected to be
secure. Am I right? Is there easy way to do it in wicket?

-- 
WBR, kan.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org