You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@wicket.apache.org by Thorsten Schöning <ts...@am-soft.de> on 2014/11/24 09:55:30 UTC

Why doesn't Wicket seem to call Session.replaceSession automatically?

Hi all,

during implementing the login a my current project I came across
WICKET-1767[1] which deals with session fixation problems, but to my
surprise it looks like the newly created method is not called
automatically by Wicket. If I search the code base for
"replaceSession(" I only get one result, the method itself.

Is there any reason why Wicket doesn't call the method automatically?
Looks to me like AuthenticatedWebSession.signIn would be a good place
to call it automatically. When should I call it instead, at the
beginning of AuthenticatedWebSession.authenticate? This would prevent
session fixation even if exception got throw during the authentication
itself for any reason.

[1]: https://issues.apache.org/jira/browse/WICKET-1767

Mit freundlichen Grüßen,

Thorsten Schöning

-- 
Thorsten Schöning       E-Mail: Thorsten.Schoening@AM-SoFT.de
AM-SoFT IT-Systeme      http://www.AM-SoFT.de/

Telefon...........05151-  9468- 55
Fax...............05151-  9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: Why doesn't Wicket seem to call Session.replaceSession automatically?

Posted by Thorsten Schöning <ts...@am-soft.de>.

Guten Tag Martin Grigorov,
am Montag, 24. November 2014 um 20:44 schrieben Sie:

> https://issues.apache.org/jira/browse/WICKET-5775

Thanks a lot, I didn't have the time yet to create it on my own.

Mit freundlichen Grüßen,

Thorsten Schöning

-- 
Thorsten Schöning       E-Mail: Thorsten.Schoening@AM-SoFT.de
AM-SoFT IT-Systeme      http://www.AM-SoFT.de/

Telefon...........05151-  9468- 55
Fax...............05151-  9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: Why doesn't Wicket seem to call Session.replaceSession automatically?

Posted by Martin Grigorov <mg...@apache.org>.

https://issues.apache.org/jira/browse/WICKET-5775

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Mon, Nov 24, 2014 at 11:36 AM, Martin Grigorov <mg...@apache.org>
wrote:

> Hi,
>
> wicket-auth-roles module was designed and advertised as an example rather
> than an extension for security best practices.
> But I agree with you that we could add that feature there.
> Please create a ticket at JIRA. Preferably with a patch or pull request at
> GitHub.
> Thank you!
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Mon, Nov 24, 2014 at 10:55 AM, Thorsten Schöning <tschoening@am-soft.de
> > wrote:
>
>> Hi all,
>>
>> during implementing the login a my current project I came across
>> WICKET-1767[1] which deals with session fixation problems, but to my
>> surprise it looks like the newly created method is not called
>> automatically by Wicket. If I search the code base for
>> "replaceSession(" I only get one result, the method itself.
>>
>> Is there any reason why Wicket doesn't call the method automatically?
>> Looks to me like AuthenticatedWebSession.signIn would be a good place
>> to call it automatically. When should I call it instead, at the
>> beginning of AuthenticatedWebSession.authenticate? This would prevent
>> session fixation even if exception got throw during the authentication
>> itself for any reason.
>>
>> [1]: https://issues.apache.org/jira/browse/WICKET-1767
>>
>> Mit freundlichen Grüßen,
>>
>> Thorsten Schöning
>>
>> --
>> Thorsten Schöning       E-Mail: Thorsten.Schoening@AM-SoFT.de
>> AM-SoFT IT-Systeme      http://www.AM-SoFT.de/
>>
>> Telefon...........05151-  9468- 55
>> Fax...............05151-  9468- 88
>> Mobil..............0178-8 9468- 04
>>
>> AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
>> AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>

Re: Why doesn't Wicket seem to call Session.replaceSession automatically?

Posted by Martin Grigorov <mg...@apache.org>.

Hi,

wicket-auth-roles module was designed and advertised as an example rather
than an extension for security best practices.
But I agree with you that we could add that feature there.
Please create a ticket at JIRA. Preferably with a patch or pull request at
GitHub.
Thank you!

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Mon, Nov 24, 2014 at 10:55 AM, Thorsten Schöning <ts...@am-soft.de>
wrote:

> Hi all,
>
> during implementing the login a my current project I came across
> WICKET-1767[1] which deals with session fixation problems, but to my
> surprise it looks like the newly created method is not called
> automatically by Wicket. If I search the code base for
> "replaceSession(" I only get one result, the method itself.
>
> Is there any reason why Wicket doesn't call the method automatically?
> Looks to me like AuthenticatedWebSession.signIn would be a good place
> to call it automatically. When should I call it instead, at the
> beginning of AuthenticatedWebSession.authenticate? This would prevent
> session fixation even if exception got throw during the authentication
> itself for any reason.
>
> [1]: https://issues.apache.org/jira/browse/WICKET-1767
>
> Mit freundlichen Grüßen,
>
> Thorsten Schöning
>
> --
> Thorsten Schöning       E-Mail: Thorsten.Schoening@AM-SoFT.de
> AM-SoFT IT-Systeme      http://www.AM-SoFT.de/
>
> Telefon...........05151-  9468- 55
> Fax...............05151-  9468- 88
> Mobil..............0178-8 9468- 04
>
> AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
> AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>