Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
8.12.0
-
None
-
None
Description
After login into the Wicket Session it is recommended to call changeSessionId() to prevent session fixation. Unfortunately I can't use the WicketTester with the MockHttpServletRequest to test this behavior. After login all my session attributes are gone due to call of Session#invalidate() which removes all attributes.
See MockHttpServletRequest#changeSessionId() and MockHttpSession#invalidate().
Actually changing the Session Id is part of the HttpServletContainer implementation but is there a way to simulate this within the Wicket framework?