Eric: Assuming that you don't have time to rebuild the entire site, there are a couple of things you can do *today* to correct for this. Depending on how you architected the site, you can avoid the issue with one very small change: make your normal point of entry into your site into tiny frameset of two frames, where the top frame is one pixel high and the main frame is what your home page currently is. That one-pixel frame disappears into the top of the browser bar and people don't even know they have been "framed."
Except .. that the URL never changes. This prevents people from bookmarking a URL with the UserRef. If it is a site that requires a logon, all they are bookmarking is the URL where a user should logon. This change might not be ideal under all circumstances, such as if you have links that open daughter windows, etc., but it might just get you through your day. Now if one of your users has sent the link which you described (c/w user reference argument) far and wide, and you are now wondering how to deal with it, you might have to write a small snippet to intercept any http call that comes in with that specific user reference number, because that user reference number has been "ruined," so to speak. First, purge that user of any variables, as several people might have that number, and if one person logs on, thus creating user variables, and another comes in while those variables are live, they will inherit them or share them, giving unpredictable results. Secondly, send people who arrive on your site with that user reference number to the logon page. If you were really nice, you'd explain why they were being redirected to logon. Just ideas .... Ian -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Weidl Sent: Thursday, September 12, 2002 8:11 AM To: Multiple recipients of list witango-talk Subject: Witango-Talk: Preventing Session hijacking Hi, Has anyone got any solutions for preventing session hijacking in Tango? To handle the possibility of a user having cookies turned off, we've made sure <@USERREFERENCEARGUMENT> is added to every URL. That solution has worked well, until recently. One of our customers copied a URL from the site and emailed it to a number of other people. Now, they are all sharing the same session and user variables. We've always known this could happen but, only with a recent increase in traffic on the site have two users come in during the same timeframe (and thus stomped on each others variables). We've got a couple ideas about how to address the problem, but I'm wondering what other approaches others have taken. Thanks, Eric ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
