Hi,
We have been investigating the possibility of replacing the JSESSIONID of the Web Client session after login.
The rationale for this is to mitigate a session fixation attack.
http://www.owasp.org/index.php/Session_Fixation
It seems that there is a nice wicket function that should do just that called "replaceSession()".
We have tried to use this in Servoy (8.1.2) by calling:
Packages.org.apache.wicket.Session.get().replaceSession();
This does change the JESSIONID but also then takes us to the solution browsing page.
Is there a way to change the JSESSIONID after login and if so, how can this be achieved?
Cheers,
Mark