You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Thomas Rohde <tr...@ordix.de> on 2012/04/04 09:27:32 UTC
Wicket session id not up to date due to Tomcat session fixation
protection
Hi!
We are using Wicket 1.4.20 and Tomcat 7.0.21.
After form based authentication (configured in web.xml) we call wicketSession.replaceSession() in the constructor of our base page and send a redirect to our welcome page. Due to tomcat's session fixation protection the session id changes for some times. After rendering the welcome page the session id stored in wicket's session store is not equal to the JSESSIONID.
Are we doing anything wrong? Any idea?
Regards,
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket session id not up to date due to Tomcat session fixation protection
Posted by Martin Grigorov <mg...@apache.org>.
Hi Thomas,
Wicket doesn't store anything in its session store.
It always uses the currently active http session to get the id.
See org.apache.wicket.protocol.http.AbstractHttpSessionStore#getSessionId(Request,
boolean)
On Wed, Apr 4, 2012 at 9:27 AM, Thomas Rohde <tr...@ordix.de> wrote:
> Hi!
>
> We are using Wicket 1.4.20 and Tomcat 7.0.21.
>
> After form based authentication (configured in web.xml) we call wicketSession.replaceSession() in the constructor of our base page and send a redirect to our welcome page. Due to tomcat's session fixation protection the session id changes for some times. After rendering the welcome page the session id stored in wicket's session store is not equal to the JSESSIONID.
>
> Are we doing anything wrong? Any idea?
>
> Regards,
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org