Indeed.
This is not a theoretical possibility. It happened to us. An external site linked to
us with an URL they had just grabbed from a session, user reference included. Everyone
arriving via the link shared one session on the site. Very embarassing.
If you are absolutely determined to persevere with user reference in the URL and you
want to prevent this, I believe you will need to regenerate the user reference if
there are no session variables keyed on it. Witango has no command to let you do this,
but if you construct a redirect URL with no userref, and make sure userref cookies are
turned off, it will happen. So the procedure would be as follows
if (userref in url)
if ( user$sessionAlive )
[allow request]
else
[redirect to URL without userref]
else
assign user$sessionAlive
Like Scott, I'm for session cookies. This has it's own challenges, but why make life
hard for yourself.
Regards Simon.
-----Original Message-----
From: Scott Cadillac [mailto:[EMAIL PROTECTED]
Sent: 06 August 2003 18:46
To: [EMAIL PROTECTED]
Subject: Reusing the UserReference key (was: Witango-Talk: what happens
with expired userReference?)
After sending my post, and thinking about it....
I suppose my answer is probably not right, that the old UserReference is
reused for a new session.
In theory, if 10 different people all clicked on the same Search page links,
which all had the same UserReference key value - and the old key IS reused
for the new session(s) - then 10 people could be sharing the same User
variables. Not good.
Does somebody have a better answer than me?
Like I mentioned, I don't personally use <@USERREFERENCEARGUMENT> in my apps
and strictly rely on the session-cookie. So the above wouldn't happen to me,
and I don't have an opportunity to test my own answer.
Any feedback anyone???
Scott Cadillac,
Witango.org - http://witango.org
403-281-6090 - [EMAIL PROTECTED]
--
Information for the Witango Developer Community
---------------------
XML-Extranet - http://xml-extra.net
403-281-6090 - [EMAIL PROTECTED]
--
Well-formed Development (for hire)
---------------------
> -----Original Message-----
> From: Scott Cadillac [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 06, 2003 11:34 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Witango-Talk: what happens with expired userReference?
>
>
> Hi Roland,
>
> As long as the VariableTimeout has expired by the time of the new page
> visitor (with the old link), then the old User Variables are
> gone - and new
> ones are assigned as needed.
>
> I think, but not 100% sure, that the old UserReference key
> value in the old
> link is actually reused. This particular question is tough to
> answer because
> for myself, I don't use <@USERREFERENCEARGUMENT> and just rely on
> session-cookies, which means your scenario would never present itself.
>
> It is when the VariableTimeout period has not expired yet (default 30
> minutes), that a Security issue is introduced where the new
> visitor can be
> given access to someone else's User Variables. This is known
> as Session
> Hijacking.
>
> But, with all that said, your scenario I think is less problematic.
>
> Your concern is about when a SearchBot hits your site, and is
> automatically
> granted a <@USERREFERENCE> key. This key value is then stored
> as part of
> your site links for a search engine - which is then exposed
> to anonymous
> users.
>
> In theory the SearchBot is not logging in to secure pages
> with a password,
> and is typically not trying to do on-line purchases - so I
> would think there
> is very little to hijack. Especially given the fact that a case for
> hijacking is very remote here.
>
> In theory, in your code, any User Variables you assign to
> anonymous visitors
> on the public side of your pages are relatively non-critical
> - which is all
> a SearchBot would be granted, or any other public visitor who
> has not logged
> in yet.
>
> Of course that is just theory because I don't really know what you're
> assigning your public anonymous visitors, with respect to
> Variables or your
> VariableTimeout setting.
>
> Hope this helps. Cheers....
>
> Scott Cadillac,
> Witango.org - http://witango.org
> 403-281-6090 - [EMAIL PROTECTED]
> --
> Information for the Witango Developer Community
> ---------------------
>
> XML-Extranet - http://xml-extra.net
> 403-281-6090 - [EMAIL PROTECTED]
> --
> Well-formed Development (for hire)
> ---------------------
>
>
> > -----Original Message-----
> > From: Stefan Gonick [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, August 06, 2003 11:05 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Witango-Talk: what happens with expired userReference?
> >
> >
> > I'm pretty sure that the Witango server starts a new
> > user session if the user reference has expired.
> >
> > Stefan
> >
> > At 09:47 AM 8/6/2003 -0700, you wrote:
> > >when you have a project and the company's IT manager
> > personally refuses
> > >cookies, he writes it into the job spec that the site work
> > for people who
> > >hate cookies. ain't that nice?
> > >
> > >On Wednesday, August 6, 2003, at 09:36 AM, Bill Conlon wrote:
> > >
> > >>Yet another reason to use <@USERREFERENCECOOKIE>
> > >>
> > >>>when a bot cruises through a site and each link has a
> > userReference=xxx
> > >>>URL argument, it stores those along with the stable URL.
> > What happens
> > >>>when someone comes back to that exact URL, userreference
> > and all, after
> > >>>the session variables have expired?
> > >
> > >_____________________________________________________________
> > ___________
> > >TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
> >
> > ========================================================
> > Database WebWorks: Dynamic web sites through database integration
> > http://www.DatabaseWebWorks.com
> >
> > ______________________________________________________________
> > __________
> > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
> >
>
> ______________________________________________________________
> __________
> TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
>
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
********************************************************************
This message is intended only for the use of the person(s) ("the intended
recipient(s)") to whom it is addressed. It may contain information which is
privileged and confidential within the meaning of applicable law. If you
are not the intended recipient, please contact the sender as soon as
possible. The views expressed in this communication may not necessarily
be the views held by LGCSB (Local Government Computer Services Board).
Any attachments have been checked by a virus scanner and appear to be
clean.
Please ensure that you also scan all messages, as LGCSB does not accept
any liability for contamination or damage to your systems.
********************************************************************
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
