oops, forgot to include the html file, here it is (:
----- Original Message ----- From: "Atrix Wolfe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 06, 2003 2:50 PM Subject: Re: Witango-Talk: RE: Reusing the UserReference key > hmm...when i test this with the link like you have below, it assigns it a > new user ref #. > > was that user ref you tested with a valid user ref on your system or did you > edit it to make it invalid? > > also...i noticed a trait of this code is that lets say i use a link like > below and it assigns a new user reference #. If i put in another link with > an invalid user reference number, it picks up the old user ref (im assuming > from the user ref session cookie). > > so how i was testing was this: > 1)i made the attached html file (it assumes your user ref is served from > 127.0.0.1) > > 2)open up that html file and click the link to get a completely new user ref > every time > > 3)Close all browser windows***, goto 2 (: > > Does this jive with the results you get? > > *** : For some reason (im sure makes sense to you, but not to me) if you > leave a browser window open and only close the userref.taf window, reopen > the html and click the link, it will give you your first session cookie back > every time (atleast for me on IE), so thats why i say close all browser > windows. > > ----- Original Message ----- > From: "Scott Cadillac" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, August 06, 2003 2:33 PM > Subject: RE: Witango-Talk: RE: Reusing the UserReference key > > > I think you're very close Atrix, > > You've got the right idea, but I believe if the user is hitting the TAF to > begin with, with something like: > > http://www.mydomain.com/userref.taf?_UserReference=F207B47F39DAE223F3167B9 > > Than your new <@USERREFERENCE> value will be still the old key value, even > though you are redirecting them on the first step. Which is the problem. > > Remember, this key assignment stuff is happening on the very "FIRST" TAF > request, so it's all done before your file does the Redirect. > > But....if your redirect was bouncing them to a non-Witango file (HTML) and > then back again - a new key should be issued because both the _UserReference > argument and session-cookie would be missing. > > ....... > > > > > -----Original Message----- > > From: Atrix Wolfe [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, August 06, 2003 3:06 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Witango-Talk: RE: Reusing the UserReference key > > > > > > ok i think i have a solution to the problem. > > > > If you go into this taf with a non-valid user reference, it > > will assign you > > a new one. If you keep clicking the link w/ the non-valid > > user reference, > > you get a new user ref each time. > > > > If you go into this taf with a VALID user ref (by clicking > > the link on the > > "Page" part for instance) you keep your user ref as youd expect. > > > > best part is, it doesnt have to store a domain scope table of > > valid user > > references or anything, it just relies on a user scope > > variable being set > > for valid users (: > > > > basicly how this would work is this construct would go at the > > top of all of > > your tafs with the if and else if and all your code going in the else > > statement. > > > > you an also do something cool like changing where it > > redirects invalid users > > so you could make them go to your main page or a timeout page > > or whatever > > you want. > > > > > > ----- Original Message ----- > > From: "Ben Johansen" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, August 06, 2003 1:53 PM > > Subject: RE: Witango-Talk: RE: Reusing the UserReference key > > > > > > > Ok, some more here. > > > > > > I took the copied address into a text editor and changed the > > > userreference value manually. I opened a new browser pasted > > the address > > > with the changed key (to simulate user vars timed out) > > > > > > And the user variable was blank and no session cookie was created. > > > > > > Interesting :-b > > > > > > Ben Johansen - http://www.pcforge.com > > > Authorized Witango Reseller > > http://www.pcforge.com/WitangoGoodies.htm > > > Authorized MDaemon Mail Server Reseller > > > http://www.pcforge.com/AltN.htm > > > > > > > > > -----Original Message----- > > > From: Ben Johansen [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, August 06, 2003 1:28 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: Witango-Talk: RE: Reusing the UserReference key > > > > > > Ok, Now I am confused myself :-) > > > Ok attached is a new TestAutoCookie.taf > > > > > > From page 1 -> page 2 a session cookies is created > > > > > > On page 2 there is a new bottom form enter a value and > > press "to page 3" > > > Highlight the address > > > Close the browser window > > > Open a new browser window and paste the address > > > > > > Your user variable will be there but no session cookie. > > > > > > Hmmm... > > > > > > Ben Johansen - http://www.pcforge.com > > > Authorized Witango Reseller > > http://www.pcforge.com/WitangoGoodies.htm > > > Authorized MDaemon Mail Server Reseller > > > http://www.pcforge.com/AltN.htm > > > > > > > > > -----Original Message----- > > > From: Scott Cadillac [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, August 06, 2003 1:10 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: Witango-Talk: RE: Reusing the UserReference key > > > > > > Hi Atrix, > > > > > > Just another follow-up on your testing. And sorry, I haven't taken a > > > look at > > > Ben's code yet. > > > > > > But maybe if a _UserReference value is passed to the Server > > on the first > > > request - Witango isn't bothering to issue the "Set-Cookie" header, > > > which > > > would explain why you don't see the cookies in HTTPLook. > > > > > > Just another thought from my rambling brain. And I guess I > > should just > > > stop > > > rambling and do more actual work, eh :-P > > > > > > I'm going to get myself in trouble here...I can just feel it.... > > > > > > > > > > -----Original Message----- > > > > From: Atrix Wolfe [mailto:[EMAIL PROTECTED] > > > > Sent: Wednesday, August 06, 2003 12:40 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: Re: Witango-Talk: RE: Reusing the UserReference key > > > > > > > > > > > > I tested w/ R:Tango 5 (not sure what build or version number > > > > but I know it > > > > is pre- the latest secuirty patch), Apache 1.3.24 and > > windows 2000. > > > > > > > > As far as i can see there is no user ref cookie. Im not sure > > > > the name of > > > > the cookie so i dumped <@varnames scope='cookie'> and it was > > > > empty, also > > > > using HTTPLook i see no cookies (: > > > > > > > > Single work station, working localy across 127.0.0.0 > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Scott Cadillac" <[EMAIL PROTECTED]> > > > > To: <[EMAIL PROTECTED]> > > > > Sent: Wednesday, August 06, 2003 11:19 AM > > > > Subject: Witango-Talk: RE: Reusing the UserReference key > > > > > > > > > > > > > Thank you Atrix, > > > > > > > > > > Could you also include what version of Witango you tested > > > > with, OS and > > > > > Webserver brand? > > > > > > > > > > In a serious test environment, it would also be good to > > see what the > > > > > session-cookie value is in this scenario (should be the > > same as the > > > > > UserReference key). > > > > > > > > > > I'm sure this has been discussed on the list in the past, > > > > but just can't > > > > > remember the results. > > > > > > > > > > Did you use more than one workstation? Just wondering.... > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Atrix Wolfe [mailto:[EMAIL PROTECTED] > > > > > > Sent: Wednesday, August 06, 2003 12:09 PM > > > > > > To: [EMAIL PROTECTED] > > > > > > Subject: Re: Reusing the UserReference key (was: > > > > > > Witango-Talk: what happens with expired userReference?) > > > > > > > > > > > > > > > > > > Well i just tested it. > > > > > > > > > > > > I have a .taf with a results html with this in it: > > > > > > > > > > > > <a > > href="<@cgi><@appfile>?<@userreferenceargument>">test!</a><br> > > > > > > > > > > > > what i did was create some links to this with edited user > > > > > > refs (to simulate > > > > > > expired user refs since they arent currently valid) and yeah, > > > > > > each one used > > > > > > the linked user ref as its own...meaning if there was a > > > > > > search engine or > > > > > > something that included the user reference argument in the > > > > > > link, they would > > > > > > all be using the same session which is no bueno! > > > > > > > > > > > > there might be a way to force the client to a new user > > > > > > reference number. > > > > > > > > > > > > if so, at every page you can check to see if > > > > user$validuser=1. If it > > > > > > doesnt, force a new user reference number and set > > > > > > user$validuser to 1 so the > > > > > > first time someone visits your pages, they are forced to get > > > > > > a new user ref > > > > > > number, which would solve this issue. > > > > > > > > > > > > One of many solutions people will present, im sure :P > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Scott Cadillac" <[EMAIL PROTECTED]> > > > > > > To: <[EMAIL PROTECTED]> > > > > > > Sent: Wednesday, August 06, 2003 10:46 AM > > > > > > Subject: Reusing the UserReference key (was: Witango-Talk: > > > > > > what happens with > > > > > > expired userReference?) > > > > > > > > > > > > > > > > > > After sending my post, and thinking about it.... > > > > > > > > > > > > I suppose my answer is probably not right, that the old > > > > > > UserReference is > > > > > > reused for a new session. > > > > > > > > > > > > In theory, if 10 different people all clicked on the same > > > > > > Search page links, > > > > > > which all had the same UserReference key value - and the old > > > > > > key IS reused > > > > > > for the new session(s) - then 10 people could be sharing > > > > the same User > > > > > > variables. Not good. > > > > > > > > > > > > Does somebody have a better answer than me? > > > > > > > > > > > > Like I mentioned, I don't personally use > > > > > > <@USERREFERENCEARGUMENT> in my apps > > > > > > and strictly rely on the session-cookie. So the above > > > > > > wouldn't happen to me, > > > > > > and I don't have an opportunity to test my own answer. > > > > > > > > > > > > Any feedback anyone??? > > > > > > > > > > > > Scott Cadillac, > > > > > > Witango.org - http://witango.org > > > > > > 403-281-6090 - [EMAIL PROTECTED] > > > > > > -- > > > > > > Information for the Witango Developer Community > > > > > > --------------------- > > > > > > > > > > > > XML-Extranet - http://xml-extra.net > > > > > > 403-281-6090 - [EMAIL PROTECTED] > > > > > > -- > > > > > > Well-formed Development (for hire) > > > > > > --------------------- > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Scott Cadillac [mailto:[EMAIL PROTECTED] > > > > > > > Sent: Wednesday, August 06, 2003 11:34 AM > > > > > > > To: [EMAIL PROTECTED] > > > > > > > Subject: RE: Witango-Talk: what happens with expired > > > > userReference? > > > > > > > > > > > > > > > > > > > > > Hi Roland, > > > > > > > > > > > > > > As long as the VariableTimeout has expired by the time of > > > > > > the new page > > > > > > > visitor (with the old link), then the old User Variables are > > > > > > > gone - and new > > > > > > > ones are assigned as needed. > > > > > > > > > > > > > > I think, but not 100% sure, that the old UserReference key > > > > > > > value in the old > > > > > > > link is actually reused. This particular question > > is tough to > > > > > > > answer because > > > > > > > for myself, I don't use <@USERREFERENCEARGUMENT> and > > > > just rely on > > > > > > > session-cookies, which means your scenario would never > > > > > > present itself. > > > > > > > > > > > > > > It is when the VariableTimeout period has not expired yet > > > > > > (default 30 > > > > > > > minutes), that a Security issue is introduced where the new > > > > > > > visitor can be > > > > > > > given access to someone else's User Variables. This is known > > > > > > > as Session > > > > > > > Hijacking. > > > > > > > > > > > > > > But, with all that said, your scenario I think is less > > > > problematic. > > > > > > > > > > > > > > Your concern is about when a SearchBot hits your > > site, and is > > > > > > > automatically > > > > > > > granted a <@USERREFERENCE> key. This key value is > > then stored > > > > > > > as part of > > > > > > > your site links for a search engine - which is then exposed > > > > > > > to anonymous > > > > > > > users. > > > > > > > > > > > > > > In theory the SearchBot is not logging in to secure pages > > > > > > > with a password, > > > > > > > and is typically not trying to do on-line purchases - so I > > > > > > > would think there > > > > > > > is very little to hijack. Especially given the fact > > > > that a case for > > > > > > > hijacking is very remote here. > > > > > > > > > > > > > > In theory, in your code, any User Variables you assign to > > > > > > > anonymous visitors > > > > > > > on the public side of your pages are relatively non-critical > > > > > > > - which is all > > > > > > > a SearchBot would be granted, or any other public > > visitor who > > > > > > > has not logged > > > > > > > in yet. > > > > > > > > > > > > > > Of course that is just theory because I don't really know > > > > > > what you're > > > > > > > assigning your public anonymous visitors, with respect to > > > > > > > Variables or your > > > > > > > VariableTimeout setting. > > > > > > > > > > > > > > Hope this helps. Cheers.... > > > > > > > > > > > > > > Scott Cadillac, > > > > > > > Witango.org - http://witango.org > > > > > > > 403-281-6090 - [EMAIL PROTECTED] > > > > > > > -- > > > > > > > Information for the Witango Developer Community > > > > > > > --------------------- > > > > > > > > > > > > > > XML-Extranet - http://xml-extra.net > > > > > > > 403-281-6090 - [EMAIL PROTECTED] > > > > > > > -- > > > > > > > Well-formed Development (for hire) > > > > > > > --------------------- > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: Stefan Gonick [mailto:[EMAIL PROTECTED] > > > > > > > > Sent: Wednesday, August 06, 2003 11:05 AM > > > > > > > > To: [EMAIL PROTECTED] > > > > > > > > Subject: Re: Witango-Talk: what happens with expired > > > > > > userReference? > > > > > > > > > > > > > > > > > > > > > > > > I'm pretty sure that the Witango server starts a new > > > > > > > > user session if the user reference has expired. > > > > > > > > > > > > > > > > Stefan > > > > > > > > > > > > > > > > At 09:47 AM 8/6/2003 -0700, you wrote: > > > > > > > > >when you have a project and the company's IT manager > > > > > > > > personally refuses > > > > > > > > >cookies, he writes it into the job spec that the > > site work > > > > > > > > for people who > > > > > > > > >hate cookies. ain't that nice? > > > > > > > > > > > > > > > > > >On Wednesday, August 6, 2003, at 09:36 AM, Bill > > Conlon wrote: > > > > > > > > > > > > > > > > > >>Yet another reason to use <@USERREFERENCECOOKIE> > > > > > > > > >> > > > > > > > > >>>when a bot cruises through a site and each link has a > > > > > > > > userReference=xxx > > > > > > > > >>>URL argument, it stores those along with the > > stable URL. > > > > > > > > What happens > > > > > > > > >>>when someone comes back to that exact URL, > > userreference > > > > > > > > and all, after > > > > > > > > >>>the session variables have expired? > > > > > > > > > > > > > > > > > > > >_____________________________________________________________ > > > > > > > > ___________ > > > > > > > > >TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > > > > > > > > > > > > > ======================================================== > > > > > > > > Database WebWorks: Dynamic web sites through database > > > > integration > > > > > > > > http://www.DatabaseWebWorks.com > > > > > > > > > > > > > > > > > > ______________________________________________________________ > > > > > > > > __________ > > > > > > > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > > > > > > > > > > > > > > > > > > > > > ______________________________________________________________ > > > > > > > __________ > > > > > > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > > > > > > > > > > > > > > > > ______________________________________________________________ > > > > > > __________ > > > > > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > > > > > > > > > ______________________________________________________________ > > > > > > __________ > > > > > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > > > > > > > > > > > > > > > > > ______________________________________________________________ > > > > __________ > > > > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > > > > > ______________________________________________________________ > > > > __________ > > > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > > > > > > > > > ______________________________________________________________ > > __________ > > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > > > > > ______________________________________________________________ > > __________ > > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > > > > > ______________________________________________________________ > > __________ > > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > > > > ______________________________________________________________ > > __________ > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > ________________________________________________________________________ > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > ________________________________________________________________________ > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.tafinvalid user ref!
