-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is what I call session trapping.
If the user ref is sent in the URL, check it against the current user ref in the session. If it's not equal to the same value, then throw the user to a page and force a new session. Clear the user ref and get a new one. Just an an if at the top of all your tafs and every time the taf gets hit, check for the value. If the value of <@ARG _UserRefs> = <@VAR user$currSessionRef> or <@ARG _UserRefs> is empty, let them go by without an issue. If it's not equal then throw them somewhere else and make them click an OK button or something with a form that has <input type="hidden" name="_UserRefs" value="<@VAR user$currSessionRef>"> you HAVE to set the currSessionRef before anything happens for the user. I just never use user refs in the URL. Plain and simple. It's ugly and causes these types of problems. Track the user using a userID or something. That's always unique. R Eric Weidl wrote: | Hi, | |> Yeah just don't use <@USERREFERENCEARGUMENT> anywhere, assign it to a |> user var and check for validity if you need to using that. | | | That sounds great now. | | Unfortunately, there are different users with identical _UserRefs in their bookmarks or what-have-you. | | So, part of our solution has to handle the return of users who have created bookmarks with duplicate _UserRefs. | | Eric | | ________________________________________________________________________ | TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] | with unsubscribe witango-talk in the message body -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9gMdHK/1j/4sLi/ARApfwAJ9Hes7TXZhYtlo7kpRQNznSWBg+0wCfXhy4 EsHw4JdbxVDgbirgxDgGX2I= =FacI -----END PGP SIGNATURE----- ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
