If you're running a secure application it's a good idea to check the referer on every hit, and if it's not from your site, then purge the user scope and call your login method. This helps to prevent people from hacking your forms and changing values. If your application is structured to use a main taf or tml file, or uses a common initialization method, then your code needs to be in one place only. This won't guarantee security by itself however as a good hacker can spoof a referer.
Dave. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bill Downall Sent: Thursday, September 12, 2002 1:37 PM To: Multiple recipients of list witango-talk Subject: Re: Witango-Talk: Preventing Session hijacking I do this most of the time. (Of course, it is helpful to spell UserReference correctly:-)) A page can still be hacked, but the hacker has to view the source, and won't find the arguments in the url history. Bill On Thu, 12 Sep 2002 10:14:26 -0700, Atrix Wolfe wrote: >i have a silly idea that just might work... > >what if instead of passing the user referance argument on the command line, >you put this on all your forms: > ><intput name=UserReferance type=hidden value="<@USERREFERENCEARGUMENT>"> > >that way it is still being passed as an argument on every page, except it is >not being passed as a search arg, but as a post arg instead. > ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
