-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yeah just don't use <@USERREFERENCEARGUMENT> anywhere, assign it to a user var and check for validity if you need to using that.
R On Thursday, September 12, 2002, at 11:37 AM, Anthony M. Humphreys wrote: > If you are using Tango's/Witango's <@USERREFERENCE> exclusively to > track sessions and user variables, and you are passing this in the URL > with <@USERREFERENCEARGUMENT> then you are allowing session hijacking. > > One way to limit this is to also include the client's IP as part of > the userKey, but then those people behind a NAT could still end up > sharing a session. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Weidl > Sent: Thursday, September 12, 2002 11:11 AM > To: Multiple recipients of list witango-talk > Subject: Witango-Talk: Preventing Session hijacking > > > Hi, > > Has anyone got any solutions for preventing session hijacking in Tango? > > To handle the possibility of a user having cookies turned off, we've > made > sure <@USERREFERENCEARGUMENT> is added to every URL. That solution has > worked well, until recently. > > One of our customers copied a URL from the site and emailed it to a > number > of other people. Now, they are all sharing the same session and user > variables. > > We've always known this could happen but, only with a recent increase > in > traffic on the site have two users come in during the same timeframe > (and > thus stomped on each others variables). > > We've got a couple ideas about how to address the problem, but I'm > wondering what other approaches others have taken. > > Thanks, > > Eric > > _______________________________________________________________________ > _ > TO UNSUBSCRIBE: send a plain text/US ASCII email to > [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body > > _______________________________________________________________________ > _ > TO UNSUBSCRIBE: send a plain text/US ASCII email to > [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body > Robert S. Sfeir Senior Java Engineer PGP Key available at: pgpkeys.mit.edu KeyID: 128C88C7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (Darwin) iD8DBQE9gLa6AP6i6RKMiMcRAgILAJ0cFg2V2Do9IPVqyp1+aUsXtSYLGQCg9cMg VG9HieFYtVazi3cXxOea2m4= =Brgf -----END PGP SIGNATURE----- ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
