i have a silly idea that just might work...
what if instead of passing the user referance argument on the command line,
you put this on all your forms:
<intput name=UserReferance type=hidden value="<@USERREFERENCEARGUMENT>">
that way it is still being passed as an argument on every page, except it is
not being passed as a search arg, but as a post arg instead.
----- Original Message -----
From: "Eric Weidl" <[EMAIL PROTECTED]>
To: "Multiple recipients of list witango-talk" <[EMAIL PROTECTED]>
Sent: Thursday, September 12, 2002 8:11 AM
Subject: Witango-Talk: Preventing Session hijacking
> Hi,
>
> Has anyone got any solutions for preventing session hijacking in Tango?
>
> To handle the possibility of a user having cookies turned off, we've made
> sure <@USERREFERENCEARGUMENT> is added to every URL. That solution has
> worked well, until recently.
>
> One of our customers copied a URL from the site and emailed it to a number
> of other people. Now, they are all sharing the same session and user
> variables.
>
> We've always known this could happen but, only with a recent increase in
> traffic on the site have two users come in during the same timeframe (and
> thus stomped on each others variables).
>
> We've got a couple ideas about how to address the problem, but I'm
> wondering what other approaches others have taken.
>
> Thanks,
>
> Eric
>
> ________________________________________________________________________
> TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED]
> with unsubscribe witango-talk in the message body
________________________________________________________________________
TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED]
with unsubscribe witango-talk in the message body
