You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@wicket.apache.org by Claudia Hirt <cl...@gmx.de> on 2021/07/20 18:19:19 UTC

Password in url after page recreation

> Hi all, 
> 
> we currenlty facing some issues with the recreateBookmarkablePagesAfterExpiry option. 
> We set this option to true, the user visits the login page and enters username and password ("<input type='password'></input>"). Now the user waits for the login till the session expires. Wicket forces a page recreate and append the password into the url (e.G. http://localhost:8080/app?user:unit:textfield=user&password:password="password").
> This seems to be an security issue on our side. Unfortunately we can't disable the recreateBookmarkablePagesAfterExpiry option due some resource loading issues. 
> 
> We already thougth about what we can do to solve this issue, and it seems to be possible to remove this parameter form the page parameters (which are called for the rewrite url after an page expires). 
> But before we implement this workaround we want to ask you guys if you already have seen this issue and if yes, if you have any better solutions? 
> 
> Thanks for your help...

Re: Password in url after page recreation

Posted by Bas Gooren <ba...@iswd.nl>.

Hi Claudia,

I have never seen this in our applications - we always use a form POST to
submit user login details.
The only reason I can think of that would lead to your case is when you set
the form to submit using a GET request. That would put the fields in the
URL and thus in wicket’s page parameters, which are reused
when recreateBookmarkablePagesAfterExpiry is true and the page expired.

Did you by any chance specify a method=“GET” attribute on your form?

Met vriendelijke groet,
Kind regards,

Bas Gooren

Op 20 juli 2021 bij 21:46:07, Claudia Hirt (claudiabeck87@gmx.de) schreef:


> Hi all,
>
> we currenlty facing some issues with the
recreateBookmarkablePagesAfterExpiry option.
> We set this option to true, the user visits the login page and enters
username and password ("<input type='password'></input>"). Now the user
waits for the login till the session expires. Wicket forces a page recreate
and append the password into the url (e.G.
http://localhost:8080/app?user:unit:textfield=user&password:password="password").

> This seems to be an security issue on our side. Unfortunately we can't
disable the recreateBookmarkablePagesAfterExpiry option due some resource
loading issues.
>
> We already thougth about what we can do to solve this issue, and it seems
to be possible to remove this parameter form the page parameters (which are
called for the rewrite url after an page expires).
> But before we implement this workaround we want to ask you guys if you
already have seen this issue and if yes, if you have any better solutions?
>
> Thanks for your help...