Eric, You could test for that particular userReference, and refresh the page with a different one if you get it.
As a more generic solution you could check if the referer is empty (or other than your site), then repost the page with a new userreference. Dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Weidl Sent: Thursday, September 12, 2002 12:06 PM To: Multiple recipients of list witango-talk Subject: Re: Witango-Talk: Preventing Session hijacking Hi, >Are they accessing the site and then immediately emailing others the >link? No, a marketing person copied a URL from a page on the site and emailed it to 10,000+ customers. >I would think if you tried to use a link where the user reference >was more than X minutes old, that particular user reference would have >expired. Hard to believe, but there has been enough consistent traffic that the session hasn't expired for 3+ weeks. Enough different users are accessing the site throughout the day to keep the session active. BTW, the session timeout it set to 30 minutes. >In other words, you shouldn't be able to use that link >indefinitely. How do you know if a particular user reference is valid? We accept any user reference. > IMHO, if they don't have session cookies turned on, they aren't living >in this decade. That's my feeling too, but not our customers. :-( >Passing user references like this is a maintenance nightmare. Not really. We've been careful to add them to all URLs as we go, so it hasn't been a problem. Eric ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
