You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Alfonso Quiroga <al...@gmail.com> on 2012/04/24 20:50:53 UTC
Login page stateless??
Hi, in my job we have an application, and the LoginPage is like any
other page. The testing team reported that when you see the login
page, a new Session is being created by wicket (they see it in
jProfiler). I've used a StatelessForm, but the session is still being
created.
The problem is that the application will be in internet, and is VERY
easy to attack if we create a session in the login page. The only
workaround I am thining... is creating a plain html file (login), and
then redirect to a wicket page. Any other solution? thanks!!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Login page stateless??
Posted by "Serban.Balamaci" <th...@gmail.com>.
Dan, how about an attacker who uses a script to just call the login page
lots of time. Could it not cause an OutOfMemory error or at least a
degradation of your application performance by your web server having to
manage millions of sessions apart for the legit ones?
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Login-page-stateless-tp4584483p4585721.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Login page stateless??
Posted by Dan Alvizu <da...@pingidentity.com>.
>The problem is that the application will be in internet, and is VERY
easy to attack if we create a session in the login page
Are you worried about a session fixation attack? I just call
Session#replaceSession():
http://wicket.apache.org/apidocs/1.5/org/apache/wicket/Session.html#replaceSession()
-Dan
On Tue, Apr 24, 2012 at 2:40 PM, Bas Gooren <ba...@iswd.nl> wrote:
> It simply means there is another component on your login page which makes
> the page stateful.
>
> To find out which one, override onBeforeRender() in the login page (log is
> a slf4j Logger):
>
> @Override
> protected void onBeforeRender()
> {
> super.onBeforeRender();
>
> log.debug( "Stateless? {}", getSession().isTemporary() );
>
> if( !getSession().isTemporary() && log.isTraceEnabled() )
> {
> // Print which component is stateful
> visitChildren( Component.class, new IVisitor<Component>()
> {
> @Override
> public Object component( Component component )
> {
> if( !component.isStateless() )
> {
> log.trace( "+ Stateful: {}", component );
> }
>
> return CONTINUE_TRAVERSAL;
> }
> } );
> }
> }
> Op 24-4-2012 20:50, schreef Alfonso Quiroga:
>
> Hi, in my job we have an application, and the LoginPage is like any
>> other page. The testing team reported that when you see the login
>> page, a new Session is being created by wicket (they see it in
>> jProfiler). I've used a StatelessForm, but the session is still being
>> created.
>>
>> The problem is that the application will be in internet, and is VERY
>> easy to attack if we create a session in the login page. The only
>> workaround I am thining... is creating a plain html file (login), and
>> then redirect to a wicket page. Any other solution? thanks!!
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.**apache.org<us...@wicket.apache.org>
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@wicket.**apache.org<us...@wicket.apache.org>
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: Login page stateless??
Posted by Bas Gooren <ba...@iswd.nl>.
It simply means there is another component on your login page which
makes the page stateful.
To find out which one, override onBeforeRender() in the login page (log
is a slf4j Logger):
@Override
protected void onBeforeRender()
{
super.onBeforeRender();
log.debug( "Stateless? {}", getSession().isTemporary() );
if( !getSession().isTemporary() && log.isTraceEnabled() )
{
// Print which component is stateful
visitChildren( Component.class, new IVisitor<Component>()
{
@Override
public Object component( Component component )
{
if( !component.isStateless() )
{
log.trace( "+ Stateful: {}", component );
}
return CONTINUE_TRAVERSAL;
}
} );
}
}
Op 24-4-2012 20:50, schreef Alfonso Quiroga:
> Hi, in my job we have an application, and the LoginPage is like any
> other page. The testing team reported that when you see the login
> page, a new Session is being created by wicket (they see it in
> jProfiler). I've used a StatelessForm, but the session is still being
> created.
>
> The problem is that the application will be in internet, and is VERY
> easy to attack if we create a session in the login page. The only
> workaround I am thining... is creating a plain html file (login), and
> then redirect to a wicket page. Any other solution? thanks!!
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Login page stateless??
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
As Bas said this means that there is another component in the page
that makes it stateful.
You can use wicket-devutils's @StatelessComponent and StatelessChecker
to find out which component is causing this.
On Tue, Apr 24, 2012 at 9:50 PM, Alfonso Quiroga <al...@gmail.com> wrote:
> Hi, in my job we have an application, and the LoginPage is like any
> other page. The testing team reported that when you see the login
> page, a new Session is being created by wicket (they see it in
> jProfiler). I've used a StatelessForm, but the session is still being
> created.
>
> The problem is that the application will be in internet, and is VERY
> easy to attack if we create a session in the login page. The only
> workaround I am thining... is creating a plain html file (login), and
> then redirect to a wicket page. Any other solution? thanks!!
This is an option too. The only small problem here is that Wicket's
PageParameters do not parse POST parameters, so you will have to use
getRequest().getRequestParameters() in that page to read the submitted
credentials.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org