Anthony's reply is a lot more helpful than mine. You can stop a lot of the problem by changing the userkey, and it's easy. Stop Tango server, edit t4server.ini and change:
USERKEY=<@USERREFERENCE> To USERKEY=<@CGIPARAM CLIENT_IP><@USERREFERENCE> Then start Tango server. There's an option for this in config.taf, too. On Thu, 12 Sep 2002, Anthony M. Humphreys wrote: > If you are using Tango's/Witango's <@USERREFERENCE> exclusively to track sessions >and user variables, and you are passing this in the URL with <@USERREFERENCEARGUMENT> >then you are allowing session hijacking. > > One way to limit this is to also include the client's IP as part of the userKey, but >then those people behind a NAT could still end up sharing a session. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Weidl > Sent: Thursday, September 12, 2002 11:11 AM > To: Multiple recipients of list witango-talk > Subject: Witango-Talk: Preventing Session hijacking > > > Hi, > > Has anyone got any solutions for preventing session hijacking in Tango? > > To handle the possibility of a user having cookies turned off, we've made > sure <@USERREFERENCEARGUMENT> is added to every URL. That solution has > worked well, until recently. > > One of our customers copied a URL from the site and emailed it to a number > of other people. Now, they are all sharing the same session and user > variables. > > We've always known this could happen but, only with a recent increase in > traffic on the site have two users come in during the same timeframe (and > thus stomped on each others variables). > > We've got a couple ideas about how to address the problem, but I'm > wondering what other approaches others have taken. > > Thanks, > > Eric > > ________________________________________________________________________ > TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body > > ________________________________________________________________________ > TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body > ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
