Thank you Atrix, Could you also include what version of Witango you tested with, OS and Webserver brand?
In a serious test environment, it would also be good to see what the session-cookie value is in this scenario (should be the same as the UserReference key). I'm sure this has been discussed on the list in the past, but just can't remember the results. Did you use more than one workstation? Just wondering.... > -----Original Message----- > From: Atrix Wolfe [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 12:09 PM > To: [EMAIL PROTECTED] > Subject: Re: Reusing the UserReference key (was: > Witango-Talk: what happens with expired userReference?) > > > Well i just tested it. > > I have a .taf with a results html with this in it: > > <a href="<@cgi><@appfile>?<@userreferenceargument>">test!</a><br> > > what i did was create some links to this with edited user > refs (to simulate > expired user refs since they arent currently valid) and yeah, > each one used > the linked user ref as its own...meaning if there was a > search engine or > something that included the user reference argument in the > link, they would > all be using the same session which is no bueno! > > there might be a way to force the client to a new user > reference number. > > if so, at every page you can check to see if user$validuser=1. If it > doesnt, force a new user reference number and set > user$validuser to 1 so the > first time someone visits your pages, they are forced to get > a new user ref > number, which would solve this issue. > > One of many solutions people will present, im sure :P > > > ----- Original Message ----- > From: "Scott Cadillac" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, August 06, 2003 10:46 AM > Subject: Reusing the UserReference key (was: Witango-Talk: > what happens with > expired userReference?) > > > After sending my post, and thinking about it.... > > I suppose my answer is probably not right, that the old > UserReference is > reused for a new session. > > In theory, if 10 different people all clicked on the same > Search page links, > which all had the same UserReference key value - and the old > key IS reused > for the new session(s) - then 10 people could be sharing the same User > variables. Not good. > > Does somebody have a better answer than me? > > Like I mentioned, I don't personally use > <@USERREFERENCEARGUMENT> in my apps > and strictly rely on the session-cookie. So the above > wouldn't happen to me, > and I don't have an opportunity to test my own answer. > > Any feedback anyone??? > > Scott Cadillac, > Witango.org - http://witango.org > 403-281-6090 - [EMAIL PROTECTED] > -- > Information for the Witango Developer Community > --------------------- > > XML-Extranet - http://xml-extra.net > 403-281-6090 - [EMAIL PROTECTED] > -- > Well-formed Development (for hire) > --------------------- > > > > -----Original Message----- > > From: Scott Cadillac [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, August 06, 2003 11:34 AM > > To: [EMAIL PROTECTED] > > Subject: RE: Witango-Talk: what happens with expired userReference? > > > > > > Hi Roland, > > > > As long as the VariableTimeout has expired by the time of > the new page > > visitor (with the old link), then the old User Variables are > > gone - and new > > ones are assigned as needed. > > > > I think, but not 100% sure, that the old UserReference key > > value in the old > > link is actually reused. This particular question is tough to > > answer because > > for myself, I don't use <@USERREFERENCEARGUMENT> and just rely on > > session-cookies, which means your scenario would never > present itself. > > > > It is when the VariableTimeout period has not expired yet > (default 30 > > minutes), that a Security issue is introduced where the new > > visitor can be > > given access to someone else's User Variables. This is known > > as Session > > Hijacking. > > > > But, with all that said, your scenario I think is less problematic. > > > > Your concern is about when a SearchBot hits your site, and is > > automatically > > granted a <@USERREFERENCE> key. This key value is then stored > > as part of > > your site links for a search engine - which is then exposed > > to anonymous > > users. > > > > In theory the SearchBot is not logging in to secure pages > > with a password, > > and is typically not trying to do on-line purchases - so I > > would think there > > is very little to hijack. Especially given the fact that a case for > > hijacking is very remote here. > > > > In theory, in your code, any User Variables you assign to > > anonymous visitors > > on the public side of your pages are relatively non-critical > > - which is all > > a SearchBot would be granted, or any other public visitor who > > has not logged > > in yet. > > > > Of course that is just theory because I don't really know > what you're > > assigning your public anonymous visitors, with respect to > > Variables or your > > VariableTimeout setting. > > > > Hope this helps. Cheers.... > > > > Scott Cadillac, > > Witango.org - http://witango.org > > 403-281-6090 - [EMAIL PROTECTED] > > -- > > Information for the Witango Developer Community > > --------------------- > > > > XML-Extranet - http://xml-extra.net > > 403-281-6090 - [EMAIL PROTECTED] > > -- > > Well-formed Development (for hire) > > --------------------- > > > > > > > -----Original Message----- > > > From: Stefan Gonick [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, August 06, 2003 11:05 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: Witango-Talk: what happens with expired > userReference? > > > > > > > > > I'm pretty sure that the Witango server starts a new > > > user session if the user reference has expired. > > > > > > Stefan > > > > > > At 09:47 AM 8/6/2003 -0700, you wrote: > > > >when you have a project and the company's IT manager > > > personally refuses > > > >cookies, he writes it into the job spec that the site work > > > for people who > > > >hate cookies. ain't that nice? > > > > > > > >On Wednesday, August 6, 2003, at 09:36 AM, Bill Conlon wrote: > > > > > > > >>Yet another reason to use <@USERREFERENCECOOKIE> > > > >> > > > >>>when a bot cruises through a site and each link has a > > > userReference=xxx > > > >>>URL argument, it stores those along with the stable URL. > > > What happens > > > >>>when someone comes back to that exact URL, userreference > > > and all, after > > > >>>the session variables have expired? > > > > > > > >_____________________________________________________________ > > > ___________ > > > >TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > > > ======================================================== > > > Database WebWorks: Dynamic web sites through database integration > > > http://www.DatabaseWebWorks.com > > > > > > ______________________________________________________________ > > > __________ > > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > > > > ______________________________________________________________ > > __________ > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > ______________________________________________________________ > __________ > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > ______________________________________________________________ > __________ > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
