If you are using Tango's/Witango's <@USERREFERENCE> exclusively to track sessions and user variables, and you are passing this in the URL with <@USERREFERENCEARGUMENT> then you are allowing session hijacking.
One way to limit this is to also include the client's IP as part of the userKey, but then those people behind a NAT could still end up sharing a session. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Weidl Sent: Thursday, September 12, 2002 11:11 AM To: Multiple recipients of list witango-talk Subject: Witango-Talk: Preventing Session hijacking Hi, Has anyone got any solutions for preventing session hijacking in Tango? To handle the possibility of a user having cookies turned off, we've made sure <@USERREFERENCEARGUMENT> is added to every URL. That solution has worked well, until recently. One of our customers copied a URL from the site and emailed it to a number of other people. Now, they are all sharing the same session and user variables. We've always known this could happen but, only with a recent increase in traffic on the site have two users come in during the same timeframe (and thus stomped on each others variables). We've got a couple ideas about how to address the problem, but I'm wondering what other approaches others have taken. Thanks, Eric ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
