You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Damien Hollis (JIRA)" <ji...@apache.org> on 2009/12/21 03:31:18 UTC

[jira] Created: (WICKET-2629) HttpsRequestCycleProcessor causes HttpSession to be created

HttpsRequestCycleProcessor causes HttpSession to be created
-----------------------------------------------------------

                 Key: WICKET-2629
                 URL: https://issues.apache.org/jira/browse/WICKET-2629
             Project: Wicket
          Issue Type: Bug
    Affects Versions: 1.4.4
            Reporter: Damien Hollis
             Fix For: 1.4.6


The HttpsRequestCycleProcessor has the following code:

	public IRequestTarget resolve(RequestCycle rc, RequestParameters rp)
	{
		// we need to persist the session before a redirect to https so the session lasts across
		// both http and https calls.
		Session.get().bind();

		IRequestTarget target = super.resolve(rc, rp);
		return checkSecure(target);
	}

The Session.get().bind() causes an HttpSession to be created even if the target page is stateless.  In our application all our pages are https and our login page is stateless.  Because the session is created anyway, we are now exposed to a DoS attack.

I don't really see why a HttpSession needs to be forced here.  If the page is stateful, then a session will be created anyway.  If the current page is stateless but the user had already navigated stateful pages, then a session will be present again.  Is there a scenario where it is important to for the session creation?   Can a mechanism be provided that will disable this behaviour?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WICKET-2629) HttpsRequestCycleProcessor causes HttpSession to be created

Posted by "Daniel Peters (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/WICKET-2629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12904182#action_12904182 ] 

Daniel Peters commented on WICKET-2629:
---------------------------------------

I also think that a Session should only be created in case of a protocol switch.
If no switch is neccessary, the RequestCycleProcessor should do nothing...


> HttpsRequestCycleProcessor causes HttpSession to be created
> -----------------------------------------------------------
>
>                 Key: WICKET-2629
>                 URL: https://issues.apache.org/jira/browse/WICKET-2629
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.4.4
>            Reporter: Damien Hollis
>            Assignee: Igor Vaynberg
>             Fix For: 1.4.6
>
>
> The HttpsRequestCycleProcessor has the following code:
> 	public IRequestTarget resolve(RequestCycle rc, RequestParameters rp)
> 	{
> 		// we need to persist the session before a redirect to https so the session lasts across
> 		// both http and https calls.
> 		Session.get().bind();
> 		IRequestTarget target = super.resolve(rc, rp);
> 		return checkSecure(target);
> 	}
> The Session.get().bind() causes an HttpSession to be created even if the target page is stateless.  In our application all our pages are https and our login page is stateless.  Because the session is created anyway, we are now exposed to a DoS attack.
> I don't really see why a HttpSession needs to be forced here.  If the page is stateful, then a session will be created anyway.  If the current page is stateless but the user had already navigated stateful pages, then a session will be present again.  Is there a scenario where it is important to for the session creation?   Can a mechanism be provided that will disable this behaviour?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (WICKET-2629) HttpsRequestCycleProcessor causes HttpSession to be created

Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/WICKET-2629?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Igor Vaynberg resolved WICKET-2629.
-----------------------------------

    Resolution: Won't Fix
      Assignee: Igor Vaynberg

just because a session is bound does not mean that stateless pages are stored in it.

the default session object is tiny, it would be a pretty poor dos attack to force OOME on the server by starting tons of sessions because it would take forever to fill up even 256mb ram with the default session object. we have a stateful app that is crawled by google, hundreds of thousands of requests in a few hours, and it does not bring down our app.

the reason we do this is outlined in the HttpsRequestCycleProcessor, if you want to override this behavior then override the HttpsRequestCycleProcessor#resolve method like so:

public IRequestTarget resolve(RequestCycle rc, RequestParameters rp)
	{
		// we need to persist the session before a redirect to https so the session lasts across
		// both http and https calls.
		// Session.get().bind();

		IRequestTarget target = super.resolve(rc, rp);
		return checkSecure(target);
	}

> HttpsRequestCycleProcessor causes HttpSession to be created
> -----------------------------------------------------------
>
>                 Key: WICKET-2629
>                 URL: https://issues.apache.org/jira/browse/WICKET-2629
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.4.4
>            Reporter: Damien Hollis
>            Assignee: Igor Vaynberg
>             Fix For: 1.4.6
>
>
> The HttpsRequestCycleProcessor has the following code:
> 	public IRequestTarget resolve(RequestCycle rc, RequestParameters rp)
> 	{
> 		// we need to persist the session before a redirect to https so the session lasts across
> 		// both http and https calls.
> 		Session.get().bind();
> 		IRequestTarget target = super.resolve(rc, rp);
> 		return checkSecure(target);
> 	}
> The Session.get().bind() causes an HttpSession to be created even if the target page is stateless.  In our application all our pages are https and our login page is stateless.  Because the session is created anyway, we are now exposed to a DoS attack.
> I don't really see why a HttpSession needs to be forced here.  If the page is stateful, then a session will be created anyway.  If the current page is stateless but the user had already navigated stateful pages, then a session will be present again.  Is there a scenario where it is important to for the session creation?   Can a mechanism be provided that will disable this behaviour?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WICKET-2629) HttpsRequestCycleProcessor causes HttpSession to be created

Posted by "Damien Hollis (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/WICKET-2629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12793583#action_12793583 ] 

Damien Hollis commented on WICKET-2629:
---------------------------------------

Thanks for the suggestion and I would do that if it was possible but overriding resolve and calling super will simply call the HttpsRequestCycleProcessor.resolve(RequestCycle rc, RequestParameters rp) method and result in the behaviour I don't want.

I'm happy that the default behaviour creates a session for those that need this but it would be nice if the resolve method was refactored to allow easier overriding.  It would be even better if the session was not created until checkSecure(IRequestTarget target) determined that a switch from http -> https was actually required.


> HttpsRequestCycleProcessor causes HttpSession to be created
> -----------------------------------------------------------
>
>                 Key: WICKET-2629
>                 URL: https://issues.apache.org/jira/browse/WICKET-2629
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.4.4
>            Reporter: Damien Hollis
>            Assignee: Igor Vaynberg
>             Fix For: 1.4.6
>
>
> The HttpsRequestCycleProcessor has the following code:
> 	public IRequestTarget resolve(RequestCycle rc, RequestParameters rp)
> 	{
> 		// we need to persist the session before a redirect to https so the session lasts across
> 		// both http and https calls.
> 		Session.get().bind();
> 		IRequestTarget target = super.resolve(rc, rp);
> 		return checkSecure(target);
> 	}
> The Session.get().bind() causes an HttpSession to be created even if the target page is stateless.  In our application all our pages are https and our login page is stateless.  Because the session is created anyway, we are now exposed to a DoS attack.
> I don't really see why a HttpSession needs to be forced here.  If the page is stateful, then a session will be created anyway.  If the current page is stateless but the user had already navigated stateful pages, then a session will be present again.  Is there a scenario where it is important to for the session creation?   Can a mechanism be provided that will disable this behaviour?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.