Thank you Roland, I think this is where we all have to be cautious. This thread started with a question about accidental shared sessions and session hijacking.
I think it's great that we are all educating ourselves in the under pinnings of Session Management, but some of the holes in our knowledge is causing us to jump off into some un-scientific testing and ambiguous results. Your results Roland may be affected by what version of Server you are running, and precisely what is happening in your code. For my part, it is the preliminary results of both Ben and Atrix that led me to my assumption that old or unknown UserReference keys are reused. Which is one of the questions I have never asked myself. But I'm am not the final authority on the subject, I just made an assumption. I'm just trying to learn like everybody else here. More than anything, I was hoping we could all achieve a greater appreciation of how Session Management works, and how it applies to all of our individual, unique security models. For me, my security works well because I don't rely on <@USERREFERENCEARGUMENT>. But this may not be the case with other security models. Everybody's is different to some degree. Please come to your own conclusions, as we move forward through this learning process together. --------- Of course, one more comment (with respect to how other web-applications are using this same methodology, where most of these other languages also have an argument value as a "backup" to their Session-cookie feature) - you don't actually see other developers (in these other languages) using the argument system for Session Management as widely as you see it in Witango programming. Just my 3 cents, eh. Cheers.... > -----Original Message----- > From: Roland Dumas [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 3:59 PM > To: [EMAIL PROTECTED] > Subject: Re: Witango-Talk: UserReference Findings > > > > On Wednesday, August 6, 2003, at 02:47 PM, Ben Johansen wrote: > > > Ok, final findings > > ... > > > > 3. If you DO use <@USERREFERENCEARGUMENT> or any _UserReference (see > > example 3) in the URL and that UserReference has expired it will > > continue on using the value supplied as the new UserReference. > > > > > > > my browser has the predictive URL typing habit. I was typing > in the URL > of a simple builder taf that uses <@USERREFERENCEARGUMENT>. > The saved > URL conveniently has an old userreferenceargument and prompted me to > use it. I did. I then hit an action in the taf and the next page > returned had a new fresh <@USERREFERENCEARGUMENT>. Doesn't that > contradict your finding? > > ______________________________________________________________ > __________ > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
