Hi Roland, As long as the VariableTimeout has expired by the time of the new page visitor (with the old link), then the old User Variables are gone - and new ones are assigned as needed.
I think, but not 100% sure, that the old UserReference key value in the old link is actually reused. This particular question is tough to answer because for myself, I don't use <@USERREFERENCEARGUMENT> and just rely on session-cookies, which means your scenario would never present itself. It is when the VariableTimeout period has not expired yet (default 30 minutes), that a Security issue is introduced where the new visitor can be given access to someone else's User Variables. This is known as Session Hijacking. But, with all that said, your scenario I think is less problematic. Your concern is about when a SearchBot hits your site, and is automatically granted a <@USERREFERENCE> key. This key value is then stored as part of your site links for a search engine - which is then exposed to anonymous users. In theory the SearchBot is not logging in to secure pages with a password, and is typically not trying to do on-line purchases - so I would think there is very little to hijack. Especially given the fact that a case for hijacking is very remote here. In theory, in your code, any User Variables you assign to anonymous visitors on the public side of your pages are relatively non-critical - which is all a SearchBot would be granted, or any other public visitor who has not logged in yet. Of course that is just theory because I don't really know what you're assigning your public anonymous visitors, with respect to Variables or your VariableTimeout setting. Hope this helps. Cheers.... Scott Cadillac, Witango.org - http://witango.org 403-281-6090 - [EMAIL PROTECTED] -- Information for the Witango Developer Community --------------------- XML-Extranet - http://xml-extra.net 403-281-6090 - [EMAIL PROTECTED] -- Well-formed Development (for hire) --------------------- > -----Original Message----- > From: Stefan Gonick [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 11:05 AM > To: [EMAIL PROTECTED] > Subject: Re: Witango-Talk: what happens with expired userReference? > > > I'm pretty sure that the Witango server starts a new > user session if the user reference has expired. > > Stefan > > At 09:47 AM 8/6/2003 -0700, you wrote: > >when you have a project and the company's IT manager > personally refuses > >cookies, he writes it into the job spec that the site work > for people who > >hate cookies. ain't that nice? > > > >On Wednesday, August 6, 2003, at 09:36 AM, Bill Conlon wrote: > > > >>Yet another reason to use <@USERREFERENCECOOKIE> > >> > >>>when a bot cruises through a site and each link has a > userReference=xxx > >>>URL argument, it stores those along with the stable URL. > What happens > >>>when someone comes back to that exact URL, userreference > and all, after > >>>the session variables have expired? > > > >_____________________________________________________________ > ___________ > >TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > ======================================================== > Database WebWorks: Dynamic web sites through database integration > http://www.DatabaseWebWorks.com > > ______________________________________________________________ > __________ > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
