Anthony mentioned "One way to limit this is to also include the client's IP as part of the userKey, but then those people behind a NAT could still end up sharing a session."
I use a similar method but I include a timestamp: <@CURRENTTIMESTAMP FORMAT='%Y%m%d%H%M%S'> when they log on and I have no problems as unless 2 or more users hit the site at exactly the same second they will not be sharing sessions. not sure if this is of any help in your situation but it's another suggestion.... --- "Anthony M. Humphreys" <[EMAIL PROTECTED]> wrote: > If you are using Tango's/Witango's <@USERREFERENCE> > exclusively to track sessions and user variables, > and you are passing this in the URL with > <@USERREFERENCEARGUMENT> then you are allowing > session hijacking. > > One way to limit this is to also include the > client's IP as part of the userKey, but then those > people behind a NAT could still end up sharing a > session. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > Eric Weidl > Sent: Thursday, September 12, 2002 11:11 AM > To: Multiple recipients of list witango-talk > Subject: Witango-Talk: Preventing Session hijacking > > > Hi, > > Has anyone got any solutions for preventing session > hijacking in Tango? > > To handle the possibility of a user having cookies > turned off, we've made > sure <@USERREFERENCEARGUMENT> is added to every URL. > That solution has > worked well, until recently. > > One of our customers copied a URL from the site and > emailed it to a number > of other people. Now, they are all sharing the same > session and user > variables. > > We've always known this could happen but, only with > a recent increase in > traffic on the site have two users come in during > the same timeframe (and > thus stomped on each others variables). > > We've got a couple ideas about how to address the > problem, but I'm > wondering what other approaches others have taken. > > Thanks, > > Eric > > ________________________________________________________________________ > TO UNSUBSCRIBE: send a plain text/US ASCII email to > [EMAIL PROTECTED] > with unsubscribe witango-talk in the > message body > > ________________________________________________________________________ > TO UNSUBSCRIBE: send a plain text/US ASCII email to > [EMAIL PROTECTED] > with unsubscribe witango-talk in the > message body __________________________________________________ Do you Yahoo!? Yahoo! News - Today's headlines http://news.yahoo.com ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
