correct me If I am wrong!one easy solution I thought was to check if the <@CGIPARAM NAME="referer"> is empty in every TAF file.if it is empty then we can actually redirect him to access denied page.
I might be wrong in giving this solution.But it sounds good to me for if the other user is trying to access the page directly. THANX IN ADVANCE Prasad R OfficeTiger Database Systems India Pvt. Ltd. http://www.officetiger.com mailto:[EMAIL PROTECTED] Jesse Parker <[EMAIL PROTECTED]> wrote: > This problem is endemic to all web development tools. There is a way to > address the problem: certificates and PKI. > > By the way, this is like someone buying a ticket to the movies, holding > the backdoor open for their friends and then complaining that people > didn't pay to see the movie. A large bank I worked with examined this > issue and decided it was not a significant security problem. > > On Thu, 12 Sep 2002, Eric Weidl wrote: > > > Hi, > > > > Has anyone got any solutions for preventing session hijacking in Tango? > > > > To handle the possibility of a user having cookies turned off, we've made > > sure <@USERREFERENCEARGUMENT> is added to every URL. That solution has > > worked well, until recently. > > > > One of our customers copied a URL from the site and emailed it to a number > > of other people. Now, they are all sharing the same session and user > > variables. > > > > We've always known this could happen but, only with a recent increase in > > traffic on the site have two users come in during the same timeframe (and > > thus stomped on each others variables). > > > > We've got a couple ideas about how to address the problem, but I'm > > wondering what other approaches others have taken. > > > > Thanks, > > > > Eric > > > > ________________________________________________________________________ > > TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > > with unsubscribe witango-talk in the message body > > > > ________________________________________________________________________ > TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
