This is a start..... frameset interesting
----- Original Message ----- From: "Ian Daniel" <[EMAIL PROTECTED]> To: "Multiple recipients of list witango-talk" <[EMAIL PROTECTED]> Sent: Thursday, September 12, 2002 12:05 PM Subject: RE: Witango-Talk: Preventing Session hijacking > Eric: > > Assuming that you don't have time to rebuild the entire site, there are a > couple of things you can do *today* to correct for this. Depending on how > you architected the site, you can avoid the issue with one very small > change: make your normal point of entry into your site into tiny frameset of > two frames, where the top frame is one pixel high and the main frame is what > your home page currently is. That one-pixel frame disappears into the top > of the browser bar and people don't even know they have been "framed." > > Except .. > > that the URL never changes. This prevents people from bookmarking a URL > with the UserRef. If it is a site that requires a logon, all they are > bookmarking is the URL where a user should logon. > > This change might not be ideal under all circumstances, such as if you have > links that open daughter windows, etc., but it might just get you through > your day. > > Now if one of your users has sent the link which you described (c/w user > reference argument) far and wide, and you are now wondering how to deal with > it, you might have to write a small snippet to intercept any http call that > comes in with that specific user reference number, because that user > reference number has been "ruined," so to speak. > > First, purge that user of any variables, as several people might have that > number, and if one person logs on, thus creating user variables, and another > comes in while those variables are live, they will inherit them or share > them, giving unpredictable results. Secondly, send people who arrive on your > site with that user reference number to the logon page. If you were really > nice, you'd explain why they were being redirected to logon. > > Just ideas .... > Ian > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Weidl > Sent: Thursday, September 12, 2002 8:11 AM > To: Multiple recipients of list witango-talk > Subject: Witango-Talk: Preventing Session hijacking > > > Hi, > > Has anyone got any solutions for preventing session hijacking in Tango? > > To handle the possibility of a user having cookies turned off, we've made > sure <@USERREFERENCEARGUMENT> is added to every URL. That solution has > worked well, until recently. > > One of our customers copied a URL from the site and emailed it to a number > of other people. Now, they are all sharing the same session and user > variables. > > We've always known this could happen but, only with a recent increase in > traffic on the site have two users come in during the same timeframe (and > thus stomped on each others variables). > > We've got a couple ideas about how to address the problem, but I'm > wondering what other approaches others have taken. > > Thanks, > > Eric > > ________________________________________________________________________ > TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body > > ________________________________________________________________________ > TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
