Thats a good point, but correct me if I am wrong, that is not enough. You must
also disable witango from parsing the URL looking for the userreference, or
session can still be hijacked. I think that is in system configuration.
--
Robert Garcia
President - BigHead Technology
VP Application Devel
A long-term and easily addressed security issue with tango/witango is the use
of _userreference argument in the URL. The builders default to using this.
LIkely, back in the early pre-pleistocene days of tango, it was practical to
pass this argument in the URL because of cookies being blocked or